Support importing certificates into ACM #40
Conversation
ack-prow
bot
added
the
needs-ok-to-test
|
Hi @cPu1. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cPu1
force-pushed
the
feat/import-certificate
branch
2 times, most recently
from
3168efa to
a386d8f
Compare
|
/ok-to-test |
ack-prow
bot
added
ok-to-test
Description of changes: As part of aws-controllers-k8s/acm-controller#40, an integration test was added that has a dependency on the `cryptography` module. In order for this to work, `libffi` needs to be installed in Alpine-based images. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
/retest |
|
this matches our requirement for importing certi into ACM |
cPu1
force-pushed
the
feat/import-certificate
branch
from
a386d8f to
5dfea68
Compare
apis/v1alpha1/certificate.go
Outdated
| @@ -32,6 +33,7 @@ type CertificateSpec struct { | |||
| // | |||
| // arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 | |||
| CertificateAuthorityARN *string `json:"certificateAuthorityARN,omitempty"` | |||
There was a problem hiding this comment.
Can we allow the ref of a ACK PCA Certificate authority to be passed in?
There was a problem hiding this comment.
Makes sense. I'll look into it.
There was a problem hiding this comment.
I have made this change but I'll note that this field was not introduced in this PR and is not related to importing certificates either.
cPu1
force-pushed
the
feat/import-certificate
branch
from
5dfea68 to
90f4aab
Compare
|
I have rebased and pushed a change to use a secret for |
apis/v1alpha1/certificate.go
Outdated
| Certificate *ackv1alpha1.SecretKeyReference `json:"certificate,omitempty"` | ||
| CertificateARN *string `json:"certificateARN,omitempty"` |
There was a problem hiding this comment.
We might want to add some custom documentation for these fields. I'm getting a bit confused with all the Certificate* fields 😄
There was a problem hiding this comment.
Good point. I'll add it.
| func (c *importCertificateInput) SetPrivateKey(_ *ackv1alpha1.SecretKeyReference) {} | ||
|
|
||
| func (c *importCertificateInput) SetCertificate(_ *ackv1alpha1.SecretKeyReference) {} | ||
|
|
||
| func (c *importCertificateInput) SetCertificateChain(_ *ackv1alpha1.SecretKeyReference) {} |
There was a problem hiding this comment.
Do we need these to be implemented
There was a problem hiding this comment.
We do not. There's a comment on the importCertificateInput struct explaining why this is needed.
| 'spec': { | ||
| 'options': { | ||
| 'certificateTransparencyLoggingPreference': 'ENABLED' | ||
| } | ||
| }, | ||
| } | ||
| k8s.patch_custom_resource(ref, updates) | ||
| time.sleep(10) | ||
| assert k8s.wait_on_condition( | ||
| ref, | ||
| condition.CONDITION_TYPE_TERMINAL, | ||
| 'True', | ||
| wait_periods=MAX_WAIT_FOR_SYNCED_MINUTES, | ||
| ) |
There was a problem hiding this comment.
Why does the resource go in terminal state when certificateTransparencyLoggingPreference is enabled?
There was a problem hiding this comment.
It's because certificateTransparencyLoggingPreference is an immutable field for imported certificates.
| created, err := rm.importCertificate(ctx, r, input) | ||
| if err != nil { | ||
| return nil, false, err | ||
| } | ||
| return created, true, nil |
There was a problem hiding this comment.
Do we need the boolean in the outputs? looks like we return true only when created is returned.
There was a problem hiding this comment.
While the caller can also use nil for checking if this is for importing an existing certificate, a separate boolean return value makes the intent clearer and the calling code more readable.
cPu1
force-pushed
the
feat/import-certificate
branch
2 times, most recently
from
9a25cb4 to
da90cd6
Compare
Adds support for [importing certificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html) into ACM. When `Spec.Certificate` is set, the controller attempts to import a certificate into ACM, otherwise it requests a certificate. It is an error to set fields used to request a certificate when importing a certificate and vice versa. The two fields required for importing a certificate (`Certificate` and `PrivateKey`) are both secret references. While the certificate portion may not be private information, it’s common to store TLS certificates as secrets in Kubernetes. The ACK runtime currently only supports resolving `Opaque` secrets and not TLS certificates, so users wanting to import existing TLS secrets into ACM will have to migrate them first. The `late_initialize_post_read_one` hook is used to allow late initialization of optional fields, otherwise the controller will keep retrying `DescribeCertificate` for setting fields that will never be returned from the API. `GoCodeSetSDKForStruct` in code-generator does not support resolving secret references for custom `[]byte` fields, so a wrapper type `importCertificateInput` has been introduced as a workaround. Signed-off-by: cpu1 <[email protected]>
Signed-off-by: cpu1 <[email protected]>
Signed-off-by: cpu1 <[email protected]>
a-hilaly
force-pushed
the
feat/import-certificate
branch
from
2d07780 to
45a1cdb
Compare
|
@cPu1: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: a-hilaly, cPu1, michaelhtm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Issue #, if available: Description of changes: Update recommended inline policy to support importing certificates which was added as part of #40 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description of changes:
Adds support for importing certificates into ACM. When
Spec.Certificateis set, the controller attempts to import a certificate into ACM, otherwise it requests a certificate. It is an error to set fields used to request a certificate when importing a certificate and vice versa. The two fields required for importing a certificate (CertificateandPrivateKey) are both secret references. While the certificate portion may not be private information, it’s common to store TLS certificates as secrets in Kubernetes. The ACK runtime currently only supports resolvingOpaquesecrets and not TLS certificates, so users wanting to import existing TLS secrets into ACM will have to migrate them first.The
late_initialize_post_read_onehook is used to allow late initialization of optional fields, otherwise the controller will keep retryingDescribeCertificatefor setting fields that will never be returned from the API.GoCodeSetSDKForStructin code-generator does not support resolving secret references for custom[]bytefields, so a wrapper typeimportCertificateInputhas been introduced as a workaround.Issue #, if available: aws-controllers-k8s/community#2043
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.