EKS - Multiple certificates to one ingress-nginx

Question

There are some applications deployed in the EKS Cluster and I am trying to manage custom domains (DNS) with Route53, Certificate Manager (HTTPS). I have deployed ingress-nginx to map the dns and path to the correct pod.

Basically, there are some clients/pods that are using custom domain, and other clients with the company domain, for example:

• https://clientA .mycompany.com
• https://clientB .mycompany.com
• https://clientW customdomain.com

As we can see in the following diagram, to fix the 1 service to 1 certificate (1:1) we need to create an ingress-proxy group by domain (.mycompany.com and customdomain.com).

What's the problem? That custom domain is different per client (Examples: carsAcompany.com, fridgesBcompany.com...) so we need to create ingress-nginx per each one except for *.mycompany.com and I think that's not a good practise.

The think is... I am using ingress-nginx (https://kubernetes.github.io/ingress-nginx/deploy/) provided by Kubernetes, but, Is there an alternative plugin / ingress that allows multiple certificates to the same service? Or the same ingress-nginx is able to use multiple certificates?

Answer 1

I've had this problem and the way I solved it is not pretty but it definitely worked for me and am happy with it.

In our firm, we were using Vault for secret management but we're using ACM for certs. As we know that nginx ingress controller only supports having 1 ACM cert configured on it. So, Instead of using ACM certificates on the ingress controller service, I created created certs using Vault (Vault can act as it's own CA).

Now I export those certs into k8s as secrets and defined them on the ingress resource for each application. So, this way, I get to have a unique cert for each application using nginx ingress controller.