aws adding the load balancer with same SSL certs

Question

I have two components of the service (frontend and backend). The service has some SSL certs and I am trying to use the same SSL certificates and uploading them to the aws using aws acm . When I am doing aws acm list-certificates --region us-west-2 , I am getting the list of two CertificateArn with the same Domain name.

Expected: I want two load balancer, one for backend and one for frontend. How can I achieve this?

Service 1:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "haproxy-ingress"
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: subnet-0b52a56cbb1dd0673, subnet-0f610a337c06e665d
    alb.ingress.kubernetes.io/certificate-arn: arn-value-1
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/success-codes: 200-399
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '300'
spec:
  rules:
    - http:
        paths:
         - path: /*
           backend:
             serviceName: ssl-redirect
             servicePort: use-annotation
         - path: /*
           backend:
             serviceName: service-1
             servicePort: 80

apiVersion: v1
kind: Service
metadata:
  name: service-1
  namespace: kube-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn-value-1
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8080
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080
  type: ClusterIP
  selector:
    app: service-1

Service 2:

apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: "haproxy-ingress"
      namespace: kube-system
      annotations:
        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/subnets: subnet-0b52a56cbb1dd0673, subnet-0f610a337c06e665d
        alb.ingress.kubernetes.io/certificate-arn: arn-value-1
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
        alb.ingress.kubernetes.io/success-codes: 200-399
        alb.ingress.kubernetes.io/target-type: ip
        alb.ingress.kubernetes.io/healthcheck-interval-seconds: '300'
    spec:
      rules:
        - http:
            paths:
             - path: /*
               backend:
                 serviceName: ssl-redirect
                 servicePort: use-annotation
             - path: /*
               backend:
                 serviceName: service-2
                 servicePort: 80
    
    apiVersion: v1
    kind: Service
    metadata:
      name: service-2
      namespace: kube-system
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn-value-1
    spec:
      ports:
        - name: https
          protocol: TCP
          port: 443
          targetPort: 8080
        - name: http
          protocol: TCP
          port: 80
          targetPort: 8080
      type: ClusterIP
      selector:
        app: service-2

Answer 1

If you're trying to use the same SSL certificate you will only need to upload the certificate to ACM once. Both certificates will have the same domain name as this is the primary domain name included in the certificate, if you're looking to validate any secondary names these can be found by running the describe-certificate function and accessing the contents of the SubjectAlternativeNames attribute.

When you create the load balancers you would simply specify the same ACM Arn for the listeners in both load balancers.