From 7bc83c0b3b1d8083713703671de9b27186c5a70e Mon Sep 17 00:00:00 2001 From: Nathan Clonts Date: Thu, 11 Dec 2025 19:07:28 +0000 Subject: [PATCH 1/5] changes from initial generation --- apis/v1alpha1/ack-generate-metadata.yaml | 8 ++++---- config/controller/kustomization.yaml | 2 +- .../bases/services.k8s.aws_iamroleselectors.yaml | 10 ++++++++++ config/crd/common/kustomization.yaml | 2 +- helm/Chart.yaml | 4 ++-- helm/crds/services.k8s.aws_iamroleselectors.yaml | 10 ++++++++++ helm/templates/NOTES.txt | 2 +- helm/values.yaml | 2 +- 8 files changed, 30 insertions(+), 10 deletions(-) diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index fffdca4..c4ecf5c 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,8 +1,8 @@ ack_generate_info: - build_date: "2025-12-02T21:07:23Z" - build_hash: 06bffb95177cf873ee1b1a1c6f93cb30380c1e36 - go_version: go1.25.1 - version: v0.56.0-2-g06bffb9 + build_date: "2025-12-11T18:58:45Z" + build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a + go_version: go1.24.0 + version: v0.56.0-3-g5c8b905 api_directory_checksum: 5dc0b682f154f3479809e330d2760ff9575e9bea api_version: v1alpha1 aws_sdk_go_version: v1.32.6 diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index f4af25f..2dea6a9 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/acm-controller - newTag: 1.3.0 + newTag: 0.0.0-non-release-version diff --git a/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml b/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml index 9477c90..803a75c 100644 --- a/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml +++ b/config/crd/common/bases/services.k8s.aws_iamroleselectors.yaml @@ -63,6 +63,16 @@ spec: required: - names type: object + resourceLabelSelector: + description: LabelSelector is a label query over a set of resources. + properties: + matchLabels: + additionalProperties: + type: string + type: object + required: + - matchLabels + type: object resourceTypeSelector: items: properties: diff --git a/config/crd/common/kustomization.yaml b/config/crd/common/kustomization.yaml index 8165534..65cb01b 100644 --- a/config/crd/common/kustomization.yaml +++ b/config/crd/common/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - bases/services.k8s.aws_iamroleselectors.yaml - bases/services.k8s.aws_fieldexports.yaml + - bases/services.k8s.aws_iamroleselectors.yaml diff --git a/helm/Chart.yaml b/helm/Chart.yaml index e28caa2..1d697e7 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: acm-chart description: A Helm chart for the ACK service controller for AWS Certificate Manager (ACM) -version: 1.3.0 -appVersion: 1.3.0 +version: 0.0.0-non-release-version +appVersion: 0.0.0-non-release-version home: https://github.com/aws-controllers-k8s/acm-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/crds/services.k8s.aws_iamroleselectors.yaml b/helm/crds/services.k8s.aws_iamroleselectors.yaml index 9477c90..803a75c 100644 --- a/helm/crds/services.k8s.aws_iamroleselectors.yaml +++ b/helm/crds/services.k8s.aws_iamroleselectors.yaml @@ -63,6 +63,16 @@ spec: required: - names type: object + resourceLabelSelector: + description: LabelSelector is a label query over a set of resources. + properties: + matchLabels: + additionalProperties: + type: string + type: object + required: + - matchLabels + type: object resourceTypeSelector: items: properties: diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index ca62e68..6531a3f 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.3.0". +This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:0.0.0-non-release-version". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/values.yaml b/helm/values.yaml index 310e6bd..7741eb9 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/acm-controller - tag: 1.3.0 + tag: 0.0.0-non-release-version pullPolicy: IfNotPresent pullSecrets: [] From e4955fc263d4dcd12bd62a93cddc3dc17f576fb0 Mon Sep 17 00:00:00 2001 From: Nathan Clonts Date: Thu, 11 Dec 2025 20:16:54 +0000 Subject: [PATCH 2/5] normalize keyAlgorithm field separators --- apis/v1alpha1/ack-generate-metadata.yaml | 2 +- pkg/resource/certificate/hooks.go | 8 +++ pkg/resource/certificate/sdk.go | 6 +++ .../sdk_read_one_pre_set_output.go.tpl | 10 +++- .../certificate_with_key_algorithm.yaml | 10 ++++ test/e2e/tests/test_certificate.py | 54 +++++++++++++++++++ 6 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 test/e2e/resources/certificate_with_key_algorithm.yaml diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index c4ecf5c..8597749 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,5 +1,5 @@ ack_generate_info: - build_date: "2025-12-11T18:58:45Z" + build_date: "2025-12-11T20:14:05Z" build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a go_version: go1.24.0 version: v0.56.0-3-g5c8b905 diff --git a/pkg/resource/certificate/hooks.go b/pkg/resource/certificate/hooks.go index 5311e0c..e41c762 100644 --- a/pkg/resource/certificate/hooks.go +++ b/pkg/resource/certificate/hooks.go @@ -252,6 +252,14 @@ func DecryptPrivateKey(encryptedPEM, passphrase []byte, keyAlgorithm string) ([] } } +// normalizeKeyAlgorithm normalizes a KeyAlgorithm value by replacing all dash +// characters with underscore characters. This ensures consistency between the +// user-specified format (e.g., RSA_2048) and the AWS API response format +// (e.g., RSA-2048). +func normalizeKeyAlgorithm(algorithm string) string { + return strings.ReplaceAll(algorithm, "-", "_") +} + func compareCertificateIssuedAt( delta *ackcompare.Delta, a *resource, diff --git a/pkg/resource/certificate/sdk.go b/pkg/resource/certificate/sdk.go index d14c8df..73cfff2 100644 --- a/pkg/resource/certificate/sdk.go +++ b/pkg/resource/certificate/sdk.go @@ -133,6 +133,12 @@ func (rm *resourceManager) sdkFind( if err != nil { return nil, err } + // Normalize KeyAlgorithm to use underscores instead of dashes + // AWS API returns dashes (e.g., RSA-2048) but users specify underscores (e.g., RSA_2048) + if resp.Certificate.KeyAlgorithm != "" { + normalizedAlgorithm := normalizeKeyAlgorithm(string(resp.Certificate.KeyAlgorithm)) + ko.Spec.KeyAlgorithm = &normalizedAlgorithm + } if ko.Status.ACKResourceMetadata == nil { ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} diff --git a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl index b61ff49..0cde051 100644 --- a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl +++ b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl @@ -36,9 +36,15 @@ ko.Status.DomainValidations = nil } ko.Spec.Tags, err = listTags( - ctx, rm.sdkapi, rm.metrics, - string(*r.ko.Status.ACKResourceMetadata.ARN), + ctx, rm.sdkapi, rm.metrics, + string(*r.ko.Status.ACKResourceMetadata.ARN), ) if err != nil { return nil, err + } + // Normalize KeyAlgorithm to use underscores instead of dashes + // AWS API returns dashes (e.g., RSA-2048) but users specify underscores (e.g., RSA_2048) + if resp.Certificate.KeyAlgorithm != "" { + normalizedAlgorithm := normalizeKeyAlgorithm(string(resp.Certificate.KeyAlgorithm)) + ko.Spec.KeyAlgorithm = &normalizedAlgorithm } \ No newline at end of file diff --git a/test/e2e/resources/certificate_with_key_algorithm.yaml b/test/e2e/resources/certificate_with_key_algorithm.yaml new file mode 100644 index 0000000..1dedf1c --- /dev/null +++ b/test/e2e/resources/certificate_with_key_algorithm.yaml @@ -0,0 +1,10 @@ +apiVersion: acm.services.k8s.aws/v1alpha1 +kind: Certificate +metadata: + name: $CERTIFICATE_NAME +spec: + domainName: $DOMAIN_NAME + keyAlgorithm: RSA_2048 + tags: + - key: environment + value: dev diff --git a/test/e2e/tests/test_certificate.py b/test/e2e/tests/test_certificate.py index 75df63d..ade4bc3 100644 --- a/test/e2e/tests/test_certificate.py +++ b/test/e2e/tests/test_certificate.py @@ -241,6 +241,60 @@ def test_invalid( 'type': condition.CONDITION_TYPE_TERMINAL, } + @pytest.mark.parametrize('certificate_public', ['certificate_with_key_algorithm'], indirect=True) + def test_key_algorithm_normalization( + self, + certificate_public, + ): + """Test that KeyAlgorithm with underscores is preserved after sync. + + This test verifies that when a user specifies keyAlgorithm as RSA_2048 + (with underscores), the controller normalizes the AWS API response + (which uses dashes like RSA-2048) back to underscores, preventing + infinite reconciliation loops. + """ + (ref, cr) = certificate_public + assert "status" in cr + assert "ackResourceMetadata" in cr["status"] + assert "arn" in cr["status"]["ackResourceMetadata"] + certificate_arn = cr["status"]["ackResourceMetadata"]["arn"] + + # Wait for the resource to get synced + assert k8s.wait_on_condition( + ref, + "ACK.ResourceSynced", + "True", + wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES, + ) + + # Verify the keyAlgorithm field maintains underscore format after sync + cr = k8s.get_resource(ref) + assert "spec" in cr + assert "keyAlgorithm" in cr["spec"] + # The keyAlgorithm should remain RSA_2048 (with underscores), not RSA-2048 + assert cr["spec"]["keyAlgorithm"] == "RSA_2048", \ + f"Expected keyAlgorithm to be 'RSA_2048' but got '{cr['spec']['keyAlgorithm']}'" + + # Wait a bit and check again to ensure no reconciliation loop + time.sleep(10) + + # Verify the resource is still synced (no reconciliation loop) + assert k8s.wait_on_condition( + ref, + "ACK.ResourceSynced", + "True", + wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES, + ) + + # Verify keyAlgorithm is still in underscore format + cr = k8s.get_resource(ref) + assert cr["spec"]["keyAlgorithm"] == "RSA_2048", \ + f"KeyAlgorithm changed after sync, expected 'RSA_2048' but got '{cr['spec']['keyAlgorithm']}'" + + k8s.delete_custom_resource(ref) + time.sleep(DELETE_WAIT_AFTER_SECONDS) + certificate.wait_until_deleted(certificate_arn) + def test_import_certificate( self, certificate_import, From b849d1fc942103b2ac0f5278a32289f44c794272 Mon Sep 17 00:00:00 2001 From: Nathan Clonts Date: Thu, 11 Dec 2025 20:31:36 +0000 Subject: [PATCH 3/5] regen w go1.25.1 --- apis/v1alpha1/ack-generate-metadata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 8597749..a03b36a 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,7 +1,7 @@ ack_generate_info: - build_date: "2025-12-11T20:14:05Z" + build_date: "2025-12-11T20:23:35Z" build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a - go_version: go1.24.0 + go_version: go1.25.1 version: v0.56.0-3-g5c8b905 api_directory_checksum: 5dc0b682f154f3479809e330d2760ff9575e9bea api_version: v1alpha1 From c02fa29ac24de98872d096f62df6b7bf7daf28a8 Mon Sep 17 00:00:00 2001 From: Nathan Clonts Date: Fri, 12 Dec 2025 00:01:14 +0000 Subject: [PATCH 4/5] remove duplicated wait and assert --- test/e2e/tests/test_certificate.py | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/test/e2e/tests/test_certificate.py b/test/e2e/tests/test_certificate.py index ade4bc3..20e04a2 100644 --- a/test/e2e/tests/test_certificate.py +++ b/test/e2e/tests/test_certificate.py @@ -275,22 +275,6 @@ def test_key_algorithm_normalization( assert cr["spec"]["keyAlgorithm"] == "RSA_2048", \ f"Expected keyAlgorithm to be 'RSA_2048' but got '{cr['spec']['keyAlgorithm']}'" - # Wait a bit and check again to ensure no reconciliation loop - time.sleep(10) - - # Verify the resource is still synced (no reconciliation loop) - assert k8s.wait_on_condition( - ref, - "ACK.ResourceSynced", - "True", - wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES, - ) - - # Verify keyAlgorithm is still in underscore format - cr = k8s.get_resource(ref) - assert cr["spec"]["keyAlgorithm"] == "RSA_2048", \ - f"KeyAlgorithm changed after sync, expected 'RSA_2048' but got '{cr['spec']['keyAlgorithm']}'" - k8s.delete_custom_resource(ref) time.sleep(DELETE_WAIT_AFTER_SECONDS) certificate.wait_until_deleted(certificate_arn) From b9562b88904ec66b10a1822324e5ade8bab1ca58 Mon Sep 17 00:00:00 2001 From: Nathan Clonts Date: Fri, 12 Dec 2025 00:14:49 +0000 Subject: [PATCH 5/5] Move keyAlgorithm comparison to delta --- apis/v1alpha1/ack-generate-metadata.yaml | 2 +- config/controller/kustomization.yaml | 2 +- helm/Chart.yaml | 4 ++-- helm/templates/NOTES.txt | 2 +- helm/values.yaml | 2 +- pkg/resource/certificate/delta.go | 1 + pkg/resource/certificate/hooks.go | 14 ++++++++++++++ pkg/resource/certificate/sdk.go | 6 ------ .../hooks/certificate/delta_pre_compare.go.tpl | 3 ++- .../certificate/sdk_read_one_pre_set_output.go.tpl | 6 ------ 10 files changed, 23 insertions(+), 19 deletions(-) diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index a03b36a..9d1fafb 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,5 +1,5 @@ ack_generate_info: - build_date: "2025-12-11T20:23:35Z" + build_date: "2025-12-12T00:10:27Z" build_hash: 5c8b9050006ef6c7d3a97c279e7b1bc163f20a0a go_version: go1.25.1 version: v0.56.0-3-g5c8b905 diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 2dea6a9..f4af25f 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/acm-controller - newTag: 0.0.0-non-release-version + newTag: 1.3.0 diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 1d697e7..e28caa2 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: acm-chart description: A Helm chart for the ACK service controller for AWS Certificate Manager (ACM) -version: 0.0.0-non-release-version -appVersion: 0.0.0-non-release-version +version: 1.3.0 +appVersion: 1.3.0 home: https://github.com/aws-controllers-k8s/acm-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 6531a3f..ca62e68 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:0.0.0-non-release-version". +This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.3.0". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/values.yaml b/helm/values.yaml index 7741eb9..310e6bd 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/acm-controller - tag: 0.0.0-non-release-version + tag: 1.3.0 pullPolicy: IfNotPresent pullSecrets: [] diff --git a/pkg/resource/certificate/delta.go b/pkg/resource/certificate/delta.go index dcd7f2d..1c9b923 100644 --- a/pkg/resource/certificate/delta.go +++ b/pkg/resource/certificate/delta.go @@ -43,6 +43,7 @@ func newResourceDelta( return delta } compareCertificateIssuedAt(delta, a, b) + compareKeyAlgorithm(delta, a, b) if ackcompare.HasNilDifference(a.ko.Spec.CertificateARN, b.ko.Spec.CertificateARN) { delta.Add("Spec.CertificateARN", a.ko.Spec.CertificateARN, b.ko.Spec.CertificateARN) diff --git a/pkg/resource/certificate/hooks.go b/pkg/resource/certificate/hooks.go index e41c762..874949b 100644 --- a/pkg/resource/certificate/hooks.go +++ b/pkg/resource/certificate/hooks.go @@ -260,6 +260,20 @@ func normalizeKeyAlgorithm(algorithm string) string { return strings.ReplaceAll(algorithm, "-", "_") } +func compareKeyAlgorithm( + delta *ackcompare.Delta, + a *resource, + b *resource, +) { + if a.ko.Spec.KeyAlgorithm != nil && b.ko.Spec.KeyAlgorithm != nil { + normalizedA := normalizeKeyAlgorithm(*a.ko.Spec.KeyAlgorithm) + normalizedB := normalizeKeyAlgorithm(*b.ko.Spec.KeyAlgorithm) + if normalizedA != normalizedB { + delta.Add("Spec.KeyAlgorithm", a.ko.Spec.KeyAlgorithm, b.ko.Spec.KeyAlgorithm) + } + } +} + func compareCertificateIssuedAt( delta *ackcompare.Delta, a *resource, diff --git a/pkg/resource/certificate/sdk.go b/pkg/resource/certificate/sdk.go index 73cfff2..d14c8df 100644 --- a/pkg/resource/certificate/sdk.go +++ b/pkg/resource/certificate/sdk.go @@ -133,12 +133,6 @@ func (rm *resourceManager) sdkFind( if err != nil { return nil, err } - // Normalize KeyAlgorithm to use underscores instead of dashes - // AWS API returns dashes (e.g., RSA-2048) but users specify underscores (e.g., RSA_2048) - if resp.Certificate.KeyAlgorithm != "" { - normalizedAlgorithm := normalizeKeyAlgorithm(string(resp.Certificate.KeyAlgorithm)) - ko.Spec.KeyAlgorithm = &normalizedAlgorithm - } if ko.Status.ACKResourceMetadata == nil { ko.Status.ACKResourceMetadata = &ackv1alpha1.ResourceMetadata{} diff --git a/templates/hooks/certificate/delta_pre_compare.go.tpl b/templates/hooks/certificate/delta_pre_compare.go.tpl index ae8da90..f9e6391 100644 --- a/templates/hooks/certificate/delta_pre_compare.go.tpl +++ b/templates/hooks/certificate/delta_pre_compare.go.tpl @@ -1 +1,2 @@ -compareCertificateIssuedAt(delta, a, b) \ No newline at end of file +compareCertificateIssuedAt(delta, a, b) +compareKeyAlgorithm(delta, a, b) \ No newline at end of file diff --git a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl index 0cde051..5020f65 100644 --- a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl +++ b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl @@ -41,10 +41,4 @@ ) if err != nil { return nil, err - } - // Normalize KeyAlgorithm to use underscores instead of dashes - // AWS API returns dashes (e.g., RSA-2048) but users specify underscores (e.g., RSA_2048) - if resp.Certificate.KeyAlgorithm != "" { - normalizedAlgorithm := normalizeKeyAlgorithm(string(resp.Certificate.KeyAlgorithm)) - ko.Spec.KeyAlgorithm = &normalizedAlgorithm } \ No newline at end of file