ACM Allow to import certificates #2043
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
service/acm
Indicates issues or PRs that are related to acm-controller.
Comments
a-hilaly
added
kind/feature
|
Issues go stale after 180d of inactivity. |
ack-prow
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
ack-prow
bot
removed
the
lifecycle/stale
ack-prow bot
pushed a commit
to aws-controllers-k8s/acm-controller
that referenced
this issue
Nov 6, 2024
Description of changes: Adds support for [importing certificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html) into ACM. When `Spec.Certificate` is set, the controller attempts to import a certificate into ACM, otherwise it requests a certificate. It is an error to set fields used to request a certificate when importing a certificate and vice versa. The two fields required for importing a certificate (`Certificate` and `PrivateKey`) are both secret references. While the certificate portion may not be private information, it’s common to store TLS certificates as secrets in Kubernetes. The ACK runtime currently only supports resolving `Opaque` secrets and not TLS certificates, so users wanting to import existing TLS secrets into ACM will have to migrate them first. The `late_initialize_post_read_one` hook is used to allow late initialization of optional fields, otherwise the controller will keep retrying `DescribeCertificate` for setting fields that will never be returned from the API. `GoCodeSetSDKForStruct` in code-generator does not support resolving secret references for custom `[]byte` fields, so a wrapper type `importCertificateInput` has been introduced as a workaround. Issue #, if available: aws-controllers-k8s/community#2043 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
Love the support for opaque Kubernetes secrets to be imported into ACM. However, we use cert-manager to generate TLS Kubernetes secrets, and we have to build our own translation layer to convert them to opaque before they can be imported. It'd be lovely if the ACK could support TLS secrets! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Due to company policy, we have to use TLS certificates issued by a specific CA. To use these certificates, it would be very handy if importing them to ACM could be controlled by ACK, so that we do not need to fall back to different tools for AWS resources.
I propose to add "ImportCertificate" to the service spec, supported by all necessary certificate data.
Since the API call is available in the ACM service, it may already be possible to do this with the ACK ACM service. In that case, I propose to add it to the documentation / API reference.
The text was updated successfully, but these errors were encountered: