I'm currently setting up an Ingress in Kubernetes to work with an AWS ALB, and I need to manage TLS certificates via AWS Certificate Manager (ACM). I had to create the ACM certificate manually to make the ingress work, but I'm looking for a way to automate this process directly from Kubernetes.
Here is my current Ingress configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: game-2048
name: ingress-2048
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/group.name: "application-shared-lb"
spec:
tls:
- hosts:
- snpv.cclab.cloud-castles.com
secretName: game-2048-tls
ingressClassName: alb
rules:
- host: snpv.cclab.cloud-castles.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-2048
port:
number: 80
I've found this documentation about AWSPCAClusterIssuer which creates private ACM certificate but it only terminates when ingressclass is nginx and doesn't suit my needs.
Is there a recommended way or existing tool to automate ACM certificate provisioning and integration with Kubernetes, especially for scenarios like mine where the Ingress needs to interface directly with AWS resources?
ACM public ssl certificate creation from EKS feature-request is being tracked here https://github.com/aws-controllers-k8s/community/issues/482
AWS Loadbalancer Controller can automatically discover certificate from the host https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/cert_discovery/#discover-via-ingress-rule-host
below attaches a cert for dev.example.com or *.example.com to the ALB
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: default name: ingress annotations: alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' spec: ingressClassName: alb rules: - host: dev.example.com http: paths: - path: /users pathType: Prefix backend: service: name: user-service port: number: 80