Certificate Discovery¶
TLS certificates for ALB Listeners can be automatically discovered with hostnames from Ingress resources if the spec.certificateArn
in IngressClassParams
or alb.ingress.kubernetes.io/certificate-arn
annotation is not specified.
The controller will attempt to discover TLS certificates from the tls
field in Ingress and host
field in Ingress rules.
You need to explicitly specify to use HTTPS listener with listen-ports annotation.
Discover via Ingress tls¶
Example
- attaches certs for `www.example.com` to the ALB
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: default
name: ingress
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
spec:
ingressClassName: alb
tls:
- hosts:
- www.example.com
rules:
- http:
paths:
- path: /users
pathType: Prefix
backend:
service:
name: user-service
port:
number: 80
```
Discover via Ingress rule host.¶
Example
- attaches a cert for `dev.example.com` or `*.example.com` to the ALB
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: default
name: ingress
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
spec:
ingressClassName: alb
rules:
- host: dev.example.com
http:
paths:
- path: /users
pathType: Prefix
backend:
service:
name: user-service
port:
number: 80
```