Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Pass Multiple ACM Certificate ARNs to service.beta.kubernetes.io/aws-load-balancer-ssl-cert #3942

Open
vSharique opened this issue Nov 18, 2024 · 1 comment
Open

Unable to Pass Multiple ACM Certificate ARNs to service.beta.kubernetes.io/aws-load-balancer-ssl-cert #3942

vSharique opened this issue Nov 18, 2024 · 1 comment

Comments

@vSharique
Copy link

Describe the bug
I encountered an issue when trying to pass multiple ACM certificate ARNs to the Kubernetes annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert. The operation fails, and the following error is returned:

Error syncing load balancer: failed to ensure load balancer: error creating listener: "error creating load balancer listener: \"ValidationError: Certificate ARN 'arn of certificate1, arn of certificate2' is not valid\n\tstatus code: 400, request id: e7c31ef5-06b6-4027-acff-ecc2d3762d26\""

Passing a single ACM certificate ARN works as expected. However, the issue arises specifically when multiple ARNs are provided.

Steps to reproduce

  1. Create a Kubernetes service with the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation.
  2. Provide a comma-separated list of ACM certificate ARNs as the value for the annotation.
    Example:
    metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:region:account-id:certificate/cert1,arn:aws:acm:region:account-id:certificate/cert2"
  3. Deploy the service and observe the load balancer creation logs at kubernetes service level.

Expected outcome
The load balancer should be created successfully with listeners configured for all specified ACM certificates.

Environment

  • Ingress Nginx v1.12.0-beta.0
  • Helm Chart Version 4.12.0-beta.0
  • Kubernetes version 1.31
  • Using EKS 1.31
@zac-nixon
Copy link
Contributor

I think I need more information, I can't replicate this by applying the manifest. How are you deploying the service?

apiVersion: v1
kind: Service
metadata:
  name: echoserver-cert
  namespace: echoserver
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "80"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:565768096483:certificate/e5b8b88e-99d6-429c-a7d1-172ae522f907,arn:aws:acm:us-west-2:565768096483:certificate/9bfe3677-0731-46b3-8bcf-4f5146e09140
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
spec:
  selector:
    app: echoserver
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  type: LoadBalancer
  loadBalancerClass: service.k8s.aws/nlb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zac-nixon @vSharique