I am using EKS but would love to hear any and all options, suggestions regardless if only available from another cloud vender managed solution.
My first instinct was to use the new AWS Load Balancer Controller which can create an ALB + WAF setup. This guide seems like exactly what I was thinking of: https://aws.amazon.com/premiumsupport/knowledge-center/eks-alb-ingress-aws-waf/.
However, I learned that the only certs the ALB works with are from ACM. So I looked into setting up my hands free dns + cert management (external-dns + cert-manager) with a ACM cert manager Issuer. But seems like that not possible?! https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1143 https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1084
Cert-manager only supports an add-on for AWS' Private Cert Manager, not for public certs.
Given I do not want to manually deal with certs or have to create them outside of the my ingress defs the ALB approach seems effectively like a dead-end at the moment.
Thanks for your input. Hopefully this tale & post helps someone else as well.
Edit: Not really looking for a CNI setup as I am really looking for "firewall service" I can use at the edge of the cluster. However, would be interested in hearing about how you used CNI to suite this need if possible?