alb.ingress.kubernetes.io/certificate-arn ordering: first certificate arn should be load bal default

[bbacker]

Thank you for all your work on this project.

We are running aws-load-balancer-controller:v2.1.1 and have a couple load balancers with multiple certificates.
It was our understanding that the first listed certificate should be the default certificate.

However after applying an alb definition starting like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "ingress-vert1"
  namespace: prod
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/subnets: 'subnet-1, subnet-2, subnet-3'
    alb.ingress.kubernetes.io/certificate-arn: 'arn1, arn2, arn3'
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'

However after applying, I find my load balancer with arn2 as the default. (full arns shortened for brevity)

Is this expected behavior? If ordering is not yet important, could this be an enhancement request that the first listed
arn1 be made the load balancer default?

We have a very old client that is sensitive to which certificate is the default.

[M00nF1sh]

/kind bug
@bbacker
Sorry for the problem caused.

It is the expected behavior. This is a regression we introduced during v1->v2 rewrite. we'll fix this in next release.

[bbacker]

@M00nF1sh - thank you for the quick reply, and glad to hear it's on the list to fix. thanks

[BEvgeniyS]

Can we at least update the documentation so it would warn users of potential issues? Docs still claim that order is maintained:

The first certificate in the list will be added as default certificate. And remaining certificate will be added to the optional certificate list.

[kishorj]

Fixed in v2.2.0 release - https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.2.0