Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export issued cert into AWS ACM #3711

Closed
sylr opened this issue Feb 28, 2021 · 17 comments
Closed

Export issued cert into AWS ACM #3711

sylr opened this issue Feb 28, 2021 · 17 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@sylr
Copy link

sylr commented Feb 28, 2021

Is your feature request related to a problem? Please describe.

We'd like to use ALB load balancer with certificates issued to cert-manager by other CA (like let's encrypt).

Describe the solution you'd like

Have cert manager export the issued certs to AWS ACM in addition to k8s secret.

Describe alternatives you've considered

Additional context

There are issues about issuing certificates from ACM, this issue is about doing the opposite.

Environment details (remove if not applicable):

  • Kubernetes version: 1.19
  • Cloud-provider/provisioner: aws
  • cert-manager version: 1.2.0
  • Install method: e.g. helm/static manifests

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 28, 2021
@SgtCoDFish SgtCoDFish added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 15, 2021
@EronWright
Copy link

This would be a great feature.

May I suggest that the imported ACM certificate be tagged to associate it with the Certificate resource. e.g. cert-manager.io/certificate-name: namespace/name. Consider recording the cert revision too.

For now, a possible workaround is to import the certificate into ACM from the Secret that is created by cert-manager. Here's a snippet of go code that converts the secret into the input data needed by the ACM API (ImportCertificate):

import (
	"encoding/pem"
	"errors"
	"github.com/aws/aws-sdk-go/service/acm"
	corev1 "k8s.io/api/core/v1"
)

func makeImportCertificateInput(secret *corev1.Secret) (input acm.ImportCertificateInput, err error) {
	raw := secret.Data["tls.crt"]
	block, _ := pem.Decode(raw) // extract the first certificate from the `tls.crt` key
	if block == nil || !(block.Type == "PUBLIC KEY" || block.Type == "CERTIFICATE") {
		return input, errors.New("failed to decode PEM block")
	}
	input.Certificate = pem.EncodeToMemory(block)
	input.CertificateChain = secret.Data["tls.crt"]
	input.PrivateKey = secret.Data["tls.key"]
	return input, nil
}

@EronWright
Copy link

Related issue: kubernetes-sigs/aws-load-balancer-controller#1084

@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 16, 2021
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 16, 2021
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 16, 2022
@lawliet89
Copy link

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 16, 2022
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 14, 2022
@jetstack-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 14, 2022
@jetstack-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

@jetstack-bot
Copy link
Contributor

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lawliet89
Copy link

/reopen

@jetstack-bot
Copy link
Contributor

@lawliet89: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sylr
Copy link
Author

sylr commented Aug 13, 2022

/reopen

@jetstack-bot jetstack-bot reopened this Aug 13, 2022
@jetstack-bot
Copy link
Contributor

@sylr: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

@jetstack-bot
Copy link
Contributor

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bacek
Copy link

bacek commented Feb 19, 2024

Any chances on getting this implemented?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bacek @sylr @lawliet89 @EronWright @SgtCoDFish @jetstack-bot