Michael Nairn My comment about supporting multiple certificates was referring to Classic ELB's. A single ALB can use multiple independent certificates whereas a Classic ELB with an SSL listener can only have one. Whether the community cluster should follow OSD and have SSL handled within OpenShift or handle SSL within AWS probably comes down to what features need to be supported or need to have feature parity with OSD.

Handling SSL within AWS has the obvious cost benefit of virtually unlimited free certificates. However, the top 3 potentially useful features I can think of which come along with OpenShift handling SSL would be router sharding, user-specified secured routes with custom SSL certificates, and management of SSL certificates without requiring any access to AWS account. I can't imagine any of those being used for the master api/console, so unless feature parity with OSD is needed, ALB should do just fine for the load balancer fronting the masters. Those things would be more useful on the load balancer sitting in front of the routers that service applications.