Skip to content

Fix ACM certificate creation for Ingresses with wildcard hosts#4786

Open
nbr wants to merge 2 commits into
kubernetes-sigs:mainfrom
chronograph-pe:cert-non-wildcard-domainname
Open

Fix ACM certificate creation for Ingresses with wildcard hosts#4786
nbr wants to merge 2 commits into
kubernetes-sigs:mainfrom
chronograph-pe:cert-non-wildcard-domainname

Conversation

@nbr

@nbr nbr commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Description

The create-acm-cert annotation requests one certificate per ingress, using every host as a SAN and the first host as the Domain Name (buildCertificateSpec).

  • Hosts are a sorted set, so a wildcard like *.app.example.com sorts first and becomes the Domain Name.
  • The Domain Name is baked into the certificate's resource ID and written as an ACM tag (buildCertificateResourceID, surfaced by ResourceTags).
  • ACM rejects * in tag values ([\p{L}\p{Z}\p{N}_.:/=+\-@]*), so RequestCertificate fails for any ingress with a wildcard host:

ValidationException: Value of the input at 'tags' failed to satisfy constraint: Member must satisfy regular expression pattern: ...

Note this is only the tag value. ACM accepts a wildcard Domain Name on the certificate itself.

Fix

  • Replace * with wildcard in the resource ID before it's used as a tag value.
  • The Domain Name and SANs sent to ACM are unchanged, so the certificate covers the same names and the resource ID stays unique per ingress.
  • Also handles ingresses whose hosts are all wildcards.

Tests

  • model_build_certificates_test.go: an all-wildcard ingress case, plus a test asserting the resource ID contains no *.

Checklist

  • Added tests that cover your change (if possible)
  • Added/modified documentation as required (such as the README.md, or the docs directory)
  • Manually tested
  • Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

  • Backfilled missing tests for code in same general area 🎉
  • Refactored something and made the world a better place 🌟

Ingress hosts are a sorted set, so a wildcard host (e.g. *.app.example.com)
sorts first and became the certificate DomainName. DomainName is stamped into
the certificate resourceID tag, and ACM's tag-value pattern
([\p{L}\p{Z}\p{N}_.:/=+\-@]*) forbids '*', so RequestCertificate failed with a
400 ValidationException for ingresses fronted by a wildcard host.

Pick the first non-wildcard host as DomainName, leaving the wildcard in the
SAN list so coverage is unchanged. Add a unit test asserting a non-wildcard
host is chosen as DomainName.
@k8s-ci-robot k8s-ci-robot requested review from shuqz and zac-nixon June 5, 2026 20:08
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 5, 2026
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

Hi @nbr. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 5, 2026

@the-technat the-technat left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

I think your fix is valid. But regarding the case you mentioned with an ingress only containing wildcards, I think it could also be elegant just doing a search/replace action on the tag value. AWS tag values can be up to 255 chars long, and the hash consists of the namespace/name and hostname which all have to be max 64 characters, so replacing * with "wildcard" would be valid too.

@nbr nbr changed the title Prefer a non-wildcard host as the certificate DomainName Fix ACM certificate creation for Ingresses with wildcard hosts Jun 8, 2026
@nbr

nbr commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Good catch!

I think your fix is valid. But regarding the case you mentioned with an ingress only containing wildcards, I think it could also be elegant just doing a search/replace action on the tag value. AWS tag values can be up to 255 chars long, and the hash consists of the namespace/name and hostname which all have to be max 64 characters, so replacing * with "wildcard" would be valid too.

@the-technat Thanks for the feedback, I pivoted the PR to address the tag issue directly

The certificate resourceID embeds the DomainName and is written as an ACM
tag, but ACM rejects '*' in tag values ([\p{L}\p{Z}\p{N}_.:/=+\-@]*), so
RequestCertificate fails for any ingress fronted by a wildcard host.

Replace '*' with 'wildcard' in the resourceID before it is used as a tag.
The DomainName and SANs sent to ACM are unchanged, so coverage is the same
and the resourceID stays unique per ingress. This also covers ingresses
whose hosts are all wildcards, which the previous non-wildcard DomainName
preference could not handle.
@k8s-ci-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nbr, the-technat
Once this PR has been reviewed and has the lgtm label, please assign shraddhabang for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants