Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: log a warning if ARN of certificate is not in the same region where ALB is being created #2754

Open
rodrigc opened this issue Aug 9, 2022 · 8 comments
Open

Feature: log a warning if ARN of certificate is not in the same region where ALB is being created #2754

rodrigc opened this issue Aug 9, 2022 · 8 comments
Assignees
@johurul000
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@rodrigc
Copy link

rodrigc commented Aug 9, 2022

Is your feature request related to a problem?
If you create a Kubernetes cluster in AWS, and an ALB is being created
in a particular AWS region, the certificate must be stored in AWS Certificate Manager in the same region as the ALB, otherwise when creating an ingress, the ingress will fail.

A warning will look like:

  Warning  FailedDeployModel  50m   ingress  Failed deploy model due to ValidationError: Certificate ARN 'arn:aws:acm:us-east-1:XXXX:certificate/mycert' is not valid

See description of problem here: https://kubernetes.slack.com/archives/C8SH2GSL9/p1659997656606629

Describe the solution you'd like
Print out a warning to the logs, indicating that the ARN of the certificate
is for a region which is different than the region where the ALB and ingress is being created.
This will give the end user better diagnostics as to the source of the problem.

Describe alternatives you've considered
I set up an EKS cluster in us-east-2, and tried to use a certificate stored in us-east-1 and ingress creation failed.
The ValidationError error message which came back was confusing and did not help me root cause the problem.
@kishorj kishorj added kind/feature Categorizes issue or PR as related to a new feature. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. labels Aug 10, 2022
@kishorj
Copy link
Collaborator

kishorj commented Aug 11, 2022

@rodrigc, we can parse the certificates specified via annotation, and if the certificate is from a different region than the controller, return appropriate error while building the model. This way we can return a more descriptive error and don't depend on the generic ALB errors.

@rodrigc
Copy link
Author

rodrigc commented Aug 12, 2022
edited
Loading

@kishorj that would be helpful.

When we use the AWS API to attach a certificate to an ALB, does the AWS API return a useful error message to indicate that the cert is invalid because it is stored in a different region in the AWS Cert Manager?

If not, then implementing your suggestion is good to parse the certificate arn, and compare the arn region with the region of the ALB, and log the error if they don't match.

@johurul000
Copy link

@kishorj Hi, I am new to open source and would like to work on this issue. If you could help me it would be wonderful.

@kishorj
Copy link
Collaborator

kishorj commented Aug 31, 2022

@johurul000, sure, that would be wonderful. I will assign the issue to you. Feel free to reach out if you need further help.

/assign @johurul000

@johurul000
Copy link

@kishorj should I try to recreate the issue in Aws Eks

@kishorj
Copy link
Collaborator

kishorj commented Sep 7, 2022

@johurul000, you can use any k8s on AWS.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2023
@csauoss
Copy link

csauoss commented Jul 1, 2024

@kishorj if this is still needed, I can give it a try as my first issue. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johurul000 johurul000

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rodrigc @kishorj @k8s-ci-robot @k8s-triage-robot @johurul000 @csauoss