diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 973de0b..bdbaa3e 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,13 +1,13 @@ ack_generate_info: - build_date: "2025-01-23T02:21:19Z" - build_hash: 2442aa071c05fcdf54841e63abd5f91d1951e152 + build_date: "2025-02-04T23:20:53Z" + build_hash: d2d639403dd853736e63c2bc1e3ca51251fd1bd1 go_version: go1.23.5 - version: v0.41.0 -api_directory_checksum: b055cc57ac2cc8b07e374803c280b65d1a72f3bf + version: v0.41.0-16-gd2d6394-dirty +api_directory_checksum: 78a5d23ba8b0c12225d1afd2506d5524d9a7aa68 api_version: v1alpha1 -aws_sdk_go_version: v1.49.0 +aws_sdk_go_version: v1.32.6 generator_config_info: - file_checksum: df0b4d7fe83a679c01131dc4af1844b5ff8105b3 + file_checksum: 38b3144fc024675b7bdccb9141fc36779effb946 original_file_name: generator.yaml last_modification: reason: API generation diff --git a/apis/v1alpha1/certificate.go b/apis/v1alpha1/certificate.go index 9a5b764..93455ab 100644 --- a/apis/v1alpha1/certificate.go +++ b/apis/v1alpha1/certificate.go @@ -58,11 +58,26 @@ type CertificateSpec struct { // uses to encrypt data. RSA is the default key algorithm for ACM certificates. // Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering // security comparable to RSA keys but with greater computing efficiency. However, - // ECDSA is not supported by all network clients. Some AWS services may require - // RSA keys, or only support ECDSA keys of a particular size, while others allow - // the use of either RSA and ECDSA keys to ensure that compatibility is not - // broken. Check the requirements for the AWS service where you plan to deploy - // your certificate. + // ECDSA is not supported by all network clients. Some Amazon Web Services services + // may require RSA keys, or only support ECDSA keys of a particular size, while + // others allow the use of either RSA and ECDSA keys to ensure that compatibility + // is not broken. Check the requirements for the Amazon Web Services service + // where you plan to deploy your certificate. For more information about selecting + // an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms). + // + // Algorithms supported for an ACM certificate request include: + // + // - RSA_2048 + // + // - EC_prime256v1 + // + // - EC_secp384r1 + // + // Other listed algorithms are for imported certificates only. + // + // When you request a private PKI certificate signed by a CA from Amazon Web + // Services Private CA, the specified signing algorithm family (RSA or ECDSA) + // must match the algorithm family of the CA's secret key. // // Default: RSA_2048 KeyAlgorithm *string `json:"keyAlgorithm,omitempty"` diff --git a/apis/v1alpha1/enums.go b/apis/v1alpha1/enums.go index f1ec792..857e815 100644 --- a/apis/v1alpha1/enums.go +++ b/apis/v1alpha1/enums.go @@ -18,103 +18,103 @@ package v1alpha1 type CertificateStatus_SDK string const ( - CertificateStatus_SDK_PENDING_VALIDATION CertificateStatus_SDK = "PENDING_VALIDATION" - CertificateStatus_SDK_ISSUED CertificateStatus_SDK = "ISSUED" - CertificateStatus_SDK_INACTIVE CertificateStatus_SDK = "INACTIVE" CertificateStatus_SDK_EXPIRED CertificateStatus_SDK = "EXPIRED" - CertificateStatus_SDK_VALIDATION_TIMED_OUT CertificateStatus_SDK = "VALIDATION_TIMED_OUT" - CertificateStatus_SDK_REVOKED CertificateStatus_SDK = "REVOKED" CertificateStatus_SDK_FAILED CertificateStatus_SDK = "FAILED" + CertificateStatus_SDK_INACTIVE CertificateStatus_SDK = "INACTIVE" + CertificateStatus_SDK_ISSUED CertificateStatus_SDK = "ISSUED" + CertificateStatus_SDK_PENDING_VALIDATION CertificateStatus_SDK = "PENDING_VALIDATION" + CertificateStatus_SDK_REVOKED CertificateStatus_SDK = "REVOKED" + CertificateStatus_SDK_VALIDATION_TIMED_OUT CertificateStatus_SDK = "VALIDATION_TIMED_OUT" ) type CertificateTransparencyLoggingPreference string const ( - CertificateTransparencyLoggingPreference_ENABLED CertificateTransparencyLoggingPreference = "ENABLED" CertificateTransparencyLoggingPreference_DISABLED CertificateTransparencyLoggingPreference = "DISABLED" + CertificateTransparencyLoggingPreference_ENABLED CertificateTransparencyLoggingPreference = "ENABLED" ) type CertificateType string const ( - CertificateType_IMPORTED CertificateType = "IMPORTED" CertificateType_AMAZON_ISSUED CertificateType = "AMAZON_ISSUED" + CertificateType_IMPORTED CertificateType = "IMPORTED" CertificateType_PRIVATE CertificateType = "PRIVATE" ) type DomainStatus string const ( + DomainStatus_FAILED DomainStatus = "FAILED" DomainStatus_PENDING_VALIDATION DomainStatus = "PENDING_VALIDATION" DomainStatus_SUCCESS DomainStatus = "SUCCESS" - DomainStatus_FAILED DomainStatus = "FAILED" ) type ExtendedKeyUsageName string const ( - ExtendedKeyUsageName_TLS_WEB_SERVER_AUTHENTICATION ExtendedKeyUsageName = "TLS_WEB_SERVER_AUTHENTICATION" - ExtendedKeyUsageName_TLS_WEB_CLIENT_AUTHENTICATION ExtendedKeyUsageName = "TLS_WEB_CLIENT_AUTHENTICATION" + ExtendedKeyUsageName_ANY ExtendedKeyUsageName = "ANY" ExtendedKeyUsageName_CODE_SIGNING ExtendedKeyUsageName = "CODE_SIGNING" + ExtendedKeyUsageName_CUSTOM ExtendedKeyUsageName = "CUSTOM" ExtendedKeyUsageName_EMAIL_PROTECTION ExtendedKeyUsageName = "EMAIL_PROTECTION" - ExtendedKeyUsageName_TIME_STAMPING ExtendedKeyUsageName = "TIME_STAMPING" - ExtendedKeyUsageName_OCSP_SIGNING ExtendedKeyUsageName = "OCSP_SIGNING" ExtendedKeyUsageName_IPSEC_END_SYSTEM ExtendedKeyUsageName = "IPSEC_END_SYSTEM" ExtendedKeyUsageName_IPSEC_TUNNEL ExtendedKeyUsageName = "IPSEC_TUNNEL" ExtendedKeyUsageName_IPSEC_USER ExtendedKeyUsageName = "IPSEC_USER" - ExtendedKeyUsageName_ANY ExtendedKeyUsageName = "ANY" ExtendedKeyUsageName_NONE ExtendedKeyUsageName = "NONE" - ExtendedKeyUsageName_CUSTOM ExtendedKeyUsageName = "CUSTOM" + ExtendedKeyUsageName_OCSP_SIGNING ExtendedKeyUsageName = "OCSP_SIGNING" + ExtendedKeyUsageName_TIME_STAMPING ExtendedKeyUsageName = "TIME_STAMPING" + ExtendedKeyUsageName_TLS_WEB_CLIENT_AUTHENTICATION ExtendedKeyUsageName = "TLS_WEB_CLIENT_AUTHENTICATION" + ExtendedKeyUsageName_TLS_WEB_SERVER_AUTHENTICATION ExtendedKeyUsageName = "TLS_WEB_SERVER_AUTHENTICATION" ) type FailureReason string const ( - FailureReason_NO_AVAILABLE_CONTACTS FailureReason = "NO_AVAILABLE_CONTACTS" FailureReason_ADDITIONAL_VERIFICATION_REQUIRED FailureReason = "ADDITIONAL_VERIFICATION_REQUIRED" + FailureReason_CAA_ERROR FailureReason = "CAA_ERROR" FailureReason_DOMAIN_NOT_ALLOWED FailureReason = "DOMAIN_NOT_ALLOWED" - FailureReason_INVALID_PUBLIC_DOMAIN FailureReason = "INVALID_PUBLIC_DOMAIN" FailureReason_DOMAIN_VALIDATION_DENIED FailureReason = "DOMAIN_VALIDATION_DENIED" - FailureReason_CAA_ERROR FailureReason = "CAA_ERROR" - FailureReason_PCA_LIMIT_EXCEEDED FailureReason = "PCA_LIMIT_EXCEEDED" + FailureReason_INVALID_PUBLIC_DOMAIN FailureReason = "INVALID_PUBLIC_DOMAIN" + FailureReason_NO_AVAILABLE_CONTACTS FailureReason = "NO_AVAILABLE_CONTACTS" + FailureReason_OTHER FailureReason = "OTHER" + FailureReason_PCA_ACCESS_DENIED FailureReason = "PCA_ACCESS_DENIED" + FailureReason_PCA_INVALID_ARGS FailureReason = "PCA_INVALID_ARGS" FailureReason_PCA_INVALID_ARN FailureReason = "PCA_INVALID_ARN" + FailureReason_PCA_INVALID_DURATION FailureReason = "PCA_INVALID_DURATION" FailureReason_PCA_INVALID_STATE FailureReason = "PCA_INVALID_STATE" - FailureReason_PCA_REQUEST_FAILED FailureReason = "PCA_REQUEST_FAILED" + FailureReason_PCA_LIMIT_EXCEEDED FailureReason = "PCA_LIMIT_EXCEEDED" FailureReason_PCA_NAME_CONSTRAINTS_VALIDATION FailureReason = "PCA_NAME_CONSTRAINTS_VALIDATION" + FailureReason_PCA_REQUEST_FAILED FailureReason = "PCA_REQUEST_FAILED" FailureReason_PCA_RESOURCE_NOT_FOUND FailureReason = "PCA_RESOURCE_NOT_FOUND" - FailureReason_PCA_INVALID_ARGS FailureReason = "PCA_INVALID_ARGS" - FailureReason_PCA_INVALID_DURATION FailureReason = "PCA_INVALID_DURATION" - FailureReason_PCA_ACCESS_DENIED FailureReason = "PCA_ACCESS_DENIED" FailureReason_SLR_NOT_FOUND FailureReason = "SLR_NOT_FOUND" - FailureReason_OTHER FailureReason = "OTHER" ) type KeyAlgorithm string const ( + KeyAlgorithm_EC_prime256v1 KeyAlgorithm = "EC_prime256v1" + KeyAlgorithm_EC_secp384r1 KeyAlgorithm = "EC_secp384r1" + KeyAlgorithm_EC_secp521r1 KeyAlgorithm = "EC_secp521r1" KeyAlgorithm_RSA_1024 KeyAlgorithm = "RSA_1024" KeyAlgorithm_RSA_2048 KeyAlgorithm = "RSA_2048" KeyAlgorithm_RSA_3072 KeyAlgorithm = "RSA_3072" KeyAlgorithm_RSA_4096 KeyAlgorithm = "RSA_4096" - KeyAlgorithm_EC_prime256v1 KeyAlgorithm = "EC_prime256v1" - KeyAlgorithm_EC_secp384r1 KeyAlgorithm = "EC_secp384r1" - KeyAlgorithm_EC_secp521r1 KeyAlgorithm = "EC_secp521r1" ) type KeyUsageName string const ( - KeyUsageName_DIGITAL_SIGNATURE KeyUsageName = "DIGITAL_SIGNATURE" - KeyUsageName_NON_REPUDIATION KeyUsageName = "NON_REPUDIATION" - KeyUsageName_KEY_ENCIPHERMENT KeyUsageName = "KEY_ENCIPHERMENT" - KeyUsageName_DATA_ENCIPHERMENT KeyUsageName = "DATA_ENCIPHERMENT" - KeyUsageName_KEY_AGREEMENT KeyUsageName = "KEY_AGREEMENT" + KeyUsageName_ANY KeyUsageName = "ANY" KeyUsageName_CERTIFICATE_SIGNING KeyUsageName = "CERTIFICATE_SIGNING" KeyUsageName_CRL_SIGNING KeyUsageName = "CRL_SIGNING" - KeyUsageName_ENCIPHER_ONLY KeyUsageName = "ENCIPHER_ONLY" - KeyUsageName_DECIPHER_ONLY KeyUsageName = "DECIPHER_ONLY" - KeyUsageName_ANY KeyUsageName = "ANY" KeyUsageName_CUSTOM KeyUsageName = "CUSTOM" + KeyUsageName_DATA_ENCIPHERMENT KeyUsageName = "DATA_ENCIPHERMENT" + KeyUsageName_DECIPHER_ONLY KeyUsageName = "DECIPHER_ONLY" + KeyUsageName_DIGITAL_SIGNATURE KeyUsageName = "DIGITAL_SIGNATURE" + KeyUsageName_ENCIPHER_ONLY KeyUsageName = "ENCIPHER_ONLY" + KeyUsageName_KEY_AGREEMENT KeyUsageName = "KEY_AGREEMENT" + KeyUsageName_KEY_ENCIPHERMENT KeyUsageName = "KEY_ENCIPHERMENT" + KeyUsageName_NON_REPUDIATION KeyUsageName = "NON_REPUDIATION" ) type RecordType string @@ -133,25 +133,25 @@ const ( type RenewalStatus string const ( + RenewalStatus_FAILED RenewalStatus = "FAILED" RenewalStatus_PENDING_AUTO_RENEWAL RenewalStatus = "PENDING_AUTO_RENEWAL" RenewalStatus_PENDING_VALIDATION RenewalStatus = "PENDING_VALIDATION" RenewalStatus_SUCCESS RenewalStatus = "SUCCESS" - RenewalStatus_FAILED RenewalStatus = "FAILED" ) type RevocationReason string const ( - RevocationReason_UNSPECIFIED RevocationReason = "UNSPECIFIED" - RevocationReason_KEY_COMPROMISE RevocationReason = "KEY_COMPROMISE" - RevocationReason_CA_COMPROMISE RevocationReason = "CA_COMPROMISE" RevocationReason_AFFILIATION_CHANGED RevocationReason = "AFFILIATION_CHANGED" - RevocationReason_SUPERCEDED RevocationReason = "SUPERCEDED" - RevocationReason_CESSATION_OF_OPERATION RevocationReason = "CESSATION_OF_OPERATION" + RevocationReason_A_A_COMPROMISE RevocationReason = "A_A_COMPROMISE" + RevocationReason_CA_COMPROMISE RevocationReason = "CA_COMPROMISE" RevocationReason_CERTIFICATE_HOLD RevocationReason = "CERTIFICATE_HOLD" - RevocationReason_REMOVE_FROM_CRL RevocationReason = "REMOVE_FROM_CRL" + RevocationReason_CESSATION_OF_OPERATION RevocationReason = "CESSATION_OF_OPERATION" + RevocationReason_KEY_COMPROMISE RevocationReason = "KEY_COMPROMISE" RevocationReason_PRIVILEGE_WITHDRAWN RevocationReason = "PRIVILEGE_WITHDRAWN" - RevocationReason_A_A_COMPROMISE RevocationReason = "A_A_COMPROMISE" + RevocationReason_REMOVE_FROM_CRL RevocationReason = "REMOVE_FROM_CRL" + RevocationReason_SUPERCEDED RevocationReason = "SUPERCEDED" + RevocationReason_UNSPECIFIED RevocationReason = "UNSPECIFIED" ) type SortBy string @@ -170,6 +170,6 @@ const ( type ValidationMethod string const ( - ValidationMethod_EMAIL ValidationMethod = "EMAIL" ValidationMethod_DNS ValidationMethod = "DNS" + ValidationMethod_EMAIL ValidationMethod = "EMAIL" ) diff --git a/apis/v1alpha1/generator.yaml b/apis/v1alpha1/generator.yaml index 09b6d14..7137899 100644 --- a/apis/v1alpha1/generator.yaml +++ b/apis/v1alpha1/generator.yaml @@ -32,7 +32,7 @@ resources: # Unfortunately, because fields in the "ignore" configuration list are # now deleted from the aws-sdk-go private/model/api.Shape object, # setting `override_values` above does not work :( - code: input.SetValidationMethod("DNS") + code: input.ValidationMethod = "DNS" sdk_read_one_pre_set_output: template_path: hooks/certificate/sdk_read_one_pre_set_output.go.tpl sdk_file_end: @@ -40,12 +40,15 @@ resources: late_initialize_post_read_one: template_path: hooks/certificate/late_initialize_post_read_one.go.tpl exceptions: + errors: + 404: + code: ResourceNotFoundException terminal_codes: - - InvalidParameter - - InvalidDomainValidationOptionsException + - InvalidParameterException + - InvalidDomainValidationOptionsException - InvalidTagException - TagPolicyException - - TooManyTagsException + - TooManyTagsException - InvalidArnException reconcile: requeue_on_success_seconds: 60 diff --git a/cmd/controller/main.go b/cmd/controller/main.go index acbaa7f..8402cf6 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -16,6 +16,7 @@ package main import ( + "context" "os" acmpcaapitypes "github.com/aws-controllers-k8s/acmpca-controller/apis/v1alpha1" @@ -38,7 +39,6 @@ import ( svctypes "github.com/aws-controllers-k8s/acm-controller/apis/v1alpha1" svcresource "github.com/aws-controllers-k8s/acm-controller/pkg/resource" - svcsdk "github.com/aws/aws-sdk-go/service/acm" _ "github.com/aws-controllers-k8s/acm-controller/pkg/resource/certificate" @@ -46,11 +46,10 @@ import ( ) var ( - awsServiceAPIGroup = "acm.services.k8s.aws" - awsServiceAlias = "acm" - awsServiceEndpointsID = svcsdk.EndpointsID - scheme = runtime.NewScheme() - setupLog = ctrlrt.Log.WithName("setup") + awsServiceAPIGroup = "acm.services.k8s.aws" + awsServiceAlias = "acm" + scheme = runtime.NewScheme() + setupLog = ctrlrt.Log.WithName("setup") ) func init() { @@ -73,7 +72,8 @@ func main() { resourceGVKs = append(resourceGVKs, mf.ResourceDescriptor().GroupVersionKind()) } - if err := ackCfg.Validate(ackcfg.WithGVKs(resourceGVKs)); err != nil { + ctx := context.Background() + if err := ackCfg.Validate(ctx, ackcfg.WithGVKs(resourceGVKs)); err != nil { setupLog.Error( err, "Unable to create controller manager", "aws.service", awsServiceAlias, @@ -138,7 +138,7 @@ func main() { "aws.service", awsServiceAlias, ) sc := ackrt.NewServiceController( - awsServiceAlias, awsServiceAPIGroup, awsServiceEndpointsID, + awsServiceAlias, awsServiceAPIGroup, acktypes.VersionInfo{ version.GitCommit, version.GitVersion, diff --git a/config/crd/bases/acm.services.k8s.aws_certificates.yaml b/config/crd/bases/acm.services.k8s.aws_certificates.yaml index 96acfd9..b591a8f 100644 --- a/config/crd/bases/acm.services.k8s.aws_certificates.yaml +++ b/config/crd/bases/acm.services.k8s.aws_certificates.yaml @@ -146,11 +146,26 @@ spec: uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, - ECDSA is not supported by all network clients. Some AWS services may require - RSA keys, or only support ECDSA keys of a particular size, while others allow - the use of either RSA and ECDSA keys to ensure that compatibility is not - broken. Check the requirements for the AWS service where you plan to deploy - your certificate. + ECDSA is not supported by all network clients. Some Amazon Web Services services + may require RSA keys, or only support ECDSA keys of a particular size, while + others allow the use of either RSA and ECDSA keys to ensure that compatibility + is not broken. Check the requirements for the Amazon Web Services service + where you plan to deploy your certificate. For more information about selecting + an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms). + + Algorithms supported for an ACM certificate request include: + + * RSA_2048 + + * EC_prime256v1 + + * EC_secp384r1 + + Other listed algorithms are for imported certificates only. + + When you request a private PKI certificate signed by a CA from Amazon Web + Services Private CA, the specified signing algorithm family (RSA or ECDSA) + must match the algorithm family of the CA's secret key. Default: RSA_2048 type: string diff --git a/generator.yaml b/generator.yaml index 09b6d14..7137899 100644 --- a/generator.yaml +++ b/generator.yaml @@ -32,7 +32,7 @@ resources: # Unfortunately, because fields in the "ignore" configuration list are # now deleted from the aws-sdk-go private/model/api.Shape object, # setting `override_values` above does not work :( - code: input.SetValidationMethod("DNS") + code: input.ValidationMethod = "DNS" sdk_read_one_pre_set_output: template_path: hooks/certificate/sdk_read_one_pre_set_output.go.tpl sdk_file_end: @@ -40,12 +40,15 @@ resources: late_initialize_post_read_one: template_path: hooks/certificate/late_initialize_post_read_one.go.tpl exceptions: + errors: + 404: + code: ResourceNotFoundException terminal_codes: - - InvalidParameter - - InvalidDomainValidationOptionsException + - InvalidParameterException + - InvalidDomainValidationOptionsException - InvalidTagException - TagPolicyException - - TooManyTagsException + - TooManyTagsException - InvalidArnException reconcile: requeue_on_success_seconds: 60 diff --git a/go.mod b/go.mod index 53b34bf..314abfc 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,11 @@ toolchain go1.22.5 require ( github.com/aws-controllers-k8s/acmpca-controller v0.0.17 - github.com/aws-controllers-k8s/runtime v0.41.0 + github.com/aws-controllers-k8s/runtime v0.41.1-0.20250204215244-e48dd7b2d6d0 github.com/aws/aws-sdk-go v1.49.6 + github.com/aws/aws-sdk-go-v2 v1.34.0 + github.com/aws/aws-sdk-go-v2/service/acm v1.30.14 + github.com/aws/smithy-go v1.22.2 github.com/go-logr/logr v1.4.2 github.com/spf13/pflag v1.0.5 k8s.io/api v0.31.0 @@ -17,6 +20,17 @@ require ( ) require ( + github.com/aws/aws-sdk-go-v2/config v1.28.6 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.47 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect diff --git a/go.sum b/go.sum index 38e0092..8c62f5d 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,37 @@ github.com/aws-controllers-k8s/acmpca-controller v0.0.17 h1:i1YyvDui8LNbwLwkXsr+jVoyCP49+ie4CZq1RRq7Tz0= github.com/aws-controllers-k8s/acmpca-controller v0.0.17/go.mod h1:BaLyCLbP5GibqqT4qANmDxAX3CYHatA+dQNFe5fOk+M= -github.com/aws-controllers-k8s/runtime v0.41.0 h1:WumDnUiVlqnYYGEIGSOUBgDPWTIEozW8HT0qwGapDgA= -github.com/aws-controllers-k8s/runtime v0.41.0/go.mod h1:Tuq5AFGJQcU00MY+J5hBYbLctpR50I8iGs5TPLox+u8= +github.com/aws-controllers-k8s/runtime v0.41.1-0.20250204215244-e48dd7b2d6d0 h1:ygZwhPfearlE8/P0HY8rXpFsbarwJ5tzBIov+3xgQfk= +github.com/aws-controllers-k8s/runtime v0.41.1-0.20250204215244-e48dd7b2d6d0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c= github.com/aws/aws-sdk-go v1.49.6 h1:yNldzF5kzLBRvKlKz1S0bkvc2+04R1kt13KfBWQBfFA= github.com/aws/aws-sdk-go v1.49.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU= +github.com/aws/aws-sdk-go-v2 v1.34.0/go.mod h1:JgstGg0JjWU1KpVJjD5H0y0yyAIpSdKEq556EI6yOOM= +github.com/aws/aws-sdk-go-v2/config v1.28.6 h1:D89IKtGrs/I3QXOLNTH93NJYtDhm8SYa9Q5CsPShmyo= +github.com/aws/aws-sdk-go-v2/config v1.28.6/go.mod h1:GDzxJ5wyyFSCoLkS+UhGB0dArhb9mI+Co4dHtoTxbko= +github.com/aws/aws-sdk-go-v2/credentials v1.17.47 h1:48bA+3/fCdi2yAwVt+3COvmatZ6jUDNkDTIsqDiMUdw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.47/go.mod h1:+KdckOejLW3Ks3b0E3b5rHsr2f9yuORBum0WPnE5o5w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 h1:AmoU1pziydclFT/xRV+xXE/Vb8fttJCLRPv8oAkprc0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21/go.mod h1:AjUdLYe4Tgs6kpH4Bv7uMZo7pottoyHMn4eTcIcneaY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 h1:Ej0Rf3GMv50Qh4G4852j2djtoDb7AzQ7MuQeFHa3D70= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29/go.mod h1:oeNTC7PwJNoM5AznVr23wxhLnuJv0ZDe5v7w0wqIs9M= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 h1:6e8a71X+9GfghragVevC5bZqvATtc3mAMgxpSNbgzF0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29/go.mod h1:c4jkZiQ+BWpNqq7VtrxjwISrLrt/VvPq3XiopkUIolI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/acm v1.30.14 h1:00t0UlApxv88+4j3OI/ozirApgdp6sDOMWNhm7IejPg= +github.com/aws/aws-sdk-go-v2/service/acm v1.30.14/go.mod h1:wpZZQcNDMXDvcVGLVx5b0v4sD4NutcVTHnxDopsPixM= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 h1:50+XsN70RS7dwJ2CkVNXzj7U2L1HKP8nqTd3XWEXBN4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6/go.mod h1:WqgLmwY7so32kG01zD8CPTJWVWM+TzJoOVHwTg4aPug= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 h1:rLnYAfXQ3YAccocshIH5mzNNwZBkBo+bP6EhIxak6Hw= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.7/go.mod h1:ZHtuQJ6t9A/+YDuxOLnbryAmITtr8UysSny3qcyvJTc= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 h1:JnhTZR3PiYDNKlXy50/pNeix9aGMo6lLpXwJ1mw8MD4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6/go.mod h1:URronUEGfXZN1VpdktPSD1EkAL9mfrV+2F4sjH38qOY= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 h1:s4074ZO1Hk8qv65GqNXqDjmkf4HSQqJukaLuuW0TpDA= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.2/go.mod h1:mVggCnIWoM09jP71Wh+ea7+5gAp53q+49wDFs1SW5z8= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= diff --git a/helm/crds/acm.services.k8s.aws_certificates.yaml b/helm/crds/acm.services.k8s.aws_certificates.yaml index b13d694..0b934fb 100644 --- a/helm/crds/acm.services.k8s.aws_certificates.yaml +++ b/helm/crds/acm.services.k8s.aws_certificates.yaml @@ -146,11 +146,26 @@ spec: uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, - ECDSA is not supported by all network clients. Some AWS services may require - RSA keys, or only support ECDSA keys of a particular size, while others allow - the use of either RSA and ECDSA keys to ensure that compatibility is not - broken. Check the requirements for the AWS service where you plan to deploy - your certificate. + ECDSA is not supported by all network clients. Some Amazon Web Services services + may require RSA keys, or only support ECDSA keys of a particular size, while + others allow the use of either RSA and ECDSA keys to ensure that compatibility + is not broken. Check the requirements for the Amazon Web Services service + where you plan to deploy your certificate. For more information about selecting + an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms). + + Algorithms supported for an ACM certificate request include: + + - RSA_2048 + + - EC_prime256v1 + + - EC_secp384r1 + + Other listed algorithms are for imported certificates only. + + When you request a private PKI certificate signed by a CA from Amazon Web + Services Private CA, the specified signing algorithm family (RSA or ECDSA) + must match the algorithm family of the CA's secret key. Default: RSA_2048 type: string diff --git a/pkg/resource/certificate/hooks.go b/pkg/resource/certificate/hooks.go index 3e68586..686738e 100644 --- a/pkg/resource/certificate/hooks.go +++ b/pkg/resource/certificate/hooks.go @@ -21,7 +21,7 @@ import ( ackv1alpha1 "github.com/aws-controllers-k8s/runtime/apis/core/v1alpha1" ackerr "github.com/aws-controllers-k8s/runtime/pkg/errors" ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" - svcsdk "github.com/aws/aws-sdk-go/service/acm" + svcsdk "github.com/aws/aws-sdk-go-v2/service/acm" "github.com/aws-controllers-k8s/acm-controller/pkg/tags" ) @@ -106,7 +106,7 @@ func (rm *resourceManager) importCertificate( exit := rlog.Trace("rm.importCertificate") defer func(err error) { exit(err) }(err) - resp, respErr := rm.sdkapi.ImportCertificateWithContext(ctx, input) + resp, respErr := rm.sdkapi.ImportCertificate(ctx, input) rm.metrics.RecordAPICall("CREATE", "ImportCertificate", respErr) if respErr != nil { return nil, respErr @@ -123,11 +123,8 @@ func (rm *resourceManager) importCertificate( // importCertificateInput exists as a workaround for a limitation in code-generator. // code-generator does not resolve secret key references for custom []byte fields like PrivateKey and Certificate. type importCertificateInput struct { + Certificate *ackv1alpha1.SecretKeyReference + CertificateChain *ackv1alpha1.SecretKeyReference + PrivateKey *ackv1alpha1.SecretKeyReference *svcsdk.ImportCertificateInput } - -func (c *importCertificateInput) SetPrivateKey(_ *ackv1alpha1.SecretKeyReference) {} - -func (c *importCertificateInput) SetCertificate(_ *ackv1alpha1.SecretKeyReference) {} - -func (c *importCertificateInput) SetCertificateChain(_ *ackv1alpha1.SecretKeyReference) {} diff --git a/pkg/resource/certificate/manager.go b/pkg/resource/certificate/manager.go index b90956a..034f959 100644 --- a/pkg/resource/certificate/manager.go +++ b/pkg/resource/certificate/manager.go @@ -32,9 +32,8 @@ import ( acktags "github.com/aws-controllers-k8s/runtime/pkg/tags" acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" ackutil "github.com/aws-controllers-k8s/runtime/pkg/util" - "github.com/aws/aws-sdk-go/aws/session" - svcsdk "github.com/aws/aws-sdk-go/service/acm" - svcsdkapi "github.com/aws/aws-sdk-go/service/acm/acmiface" + "github.com/aws/aws-sdk-go-v2/aws" + svcsdk "github.com/aws/aws-sdk-go-v2/service/acm" "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" @@ -59,6 +58,9 @@ type resourceManager struct { // cfg is a copy of the ackcfg.Config object passed on start of the service // controller cfg ackcfg.Config + // clientcfg is a copy of the client configuration passed on start of the + // service controller + clientcfg aws.Config // log refers to the logr.Logger object handling logging for the service // controller log logr.Logger @@ -73,12 +75,9 @@ type resourceManager struct { awsAccountID ackv1alpha1.AWSAccountID // The AWS Region that this resource manager targets awsRegion ackv1alpha1.AWSRegion - // sess is the AWS SDK Session object used to communicate with the backend - // AWS service API - sess *session.Session - // sdk is a pointer to the AWS service API interface exposed by the - // aws-sdk-go/services/{alias}/{alias}iface package. - sdkapi svcsdkapi.ACMAPI + // sdk is a pointer to the AWS service API client exposed by the + // aws-sdk-go-v2/services/{alias} package. + sdkapi *svcsdk.Client } // concreteResource returns a pointer to a resource from the supplied @@ -325,24 +324,25 @@ func (rm *resourceManager) EnsureTags( // newResourceManager returns a new struct implementing // acktypes.AWSResourceManager +// This is for AWS-SDK-GO-V2 - Created newResourceManager With AWS sdk-Go-ClientV2 func newResourceManager( cfg ackcfg.Config, + clientcfg aws.Config, log logr.Logger, metrics *ackmetrics.Metrics, rr acktypes.Reconciler, - sess *session.Session, id ackv1alpha1.AWSAccountID, region ackv1alpha1.AWSRegion, ) (*resourceManager, error) { return &resourceManager{ cfg: cfg, + clientcfg: clientcfg, log: log, metrics: metrics, rr: rr, awsAccountID: id, awsRegion: region, - sess: sess, - sdkapi: svcsdk.New(sess), + sdkapi: svcsdk.NewFromConfig(clientcfg), }, nil } diff --git a/pkg/resource/certificate/manager_factory.go b/pkg/resource/certificate/manager_factory.go index 6510f0a..6424218 100644 --- a/pkg/resource/certificate/manager_factory.go +++ b/pkg/resource/certificate/manager_factory.go @@ -23,7 +23,7 @@ import ( ackcfg "github.com/aws-controllers-k8s/runtime/pkg/config" ackmetrics "github.com/aws-controllers-k8s/runtime/pkg/metrics" acktypes "github.com/aws-controllers-k8s/runtime/pkg/types" - "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go-v2/aws" "github.com/go-logr/logr" svcresource "github.com/aws-controllers-k8s/acm-controller/pkg/resource" @@ -47,10 +47,10 @@ func (f *resourceManagerFactory) ResourceDescriptor() acktypes.AWSResourceDescri // supplied AWS account func (f *resourceManagerFactory) ManagerFor( cfg ackcfg.Config, + clientcfg aws.Config, log logr.Logger, metrics *ackmetrics.Metrics, rr acktypes.Reconciler, - sess *session.Session, id ackv1alpha1.AWSAccountID, region ackv1alpha1.AWSRegion, roleARN ackv1alpha1.AWSResourceName, @@ -70,7 +70,7 @@ func (f *resourceManagerFactory) ManagerFor( f.Lock() defer f.Unlock() - rm, err := newResourceManager(cfg, log, metrics, rr, sess, id, region) + rm, err := newResourceManager(cfg, clientcfg, log, metrics, rr, id, region) if err != nil { return nil, err } diff --git a/pkg/resource/certificate/sdk.go b/pkg/resource/certificate/sdk.go index a21953c..0ba1f2b 100644 --- a/pkg/resource/certificate/sdk.go +++ b/pkg/resource/certificate/sdk.go @@ -28,8 +28,10 @@ import ( ackerr "github.com/aws-controllers-k8s/runtime/pkg/errors" ackrequeue "github.com/aws-controllers-k8s/runtime/pkg/requeue" ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" - "github.com/aws/aws-sdk-go/aws" - svcsdk "github.com/aws/aws-sdk-go/service/acm" + "github.com/aws/aws-sdk-go-v2/aws" + svcsdk "github.com/aws/aws-sdk-go-v2/service/acm" + svcsdktypes "github.com/aws/aws-sdk-go-v2/service/acm/types" + smithy "github.com/aws/smithy-go" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -40,8 +42,7 @@ import ( var ( _ = &metav1.Time{} _ = strings.ToLower("") - _ = &aws.JSONValue{} - _ = &svcsdk.ACM{} + _ = &svcsdk.Client{} _ = &svcapitypes.Certificate{} _ = ackv1alpha1.AWSAccountID("") _ = &ackerr.NotFound @@ -49,6 +50,7 @@ var ( _ = &reflect.Value{} _ = fmt.Sprintf("") _ = &ackrequeue.NoRequeue{} + _ = &aws.Config{} ) // sdkFind returns SDK-specific information about a supplied resource @@ -74,13 +76,11 @@ func (rm *resourceManager) sdkFind( } var resp *svcsdk.DescribeCertificateOutput - resp, err = rm.sdkapi.DescribeCertificateWithContext(ctx, input) + resp, err = rm.sdkapi.DescribeCertificate(ctx, input) rm.metrics.RecordAPICall("READ_ONE", "DescribeCertificate", err) if err != nil { - if reqErr, ok := ackerr.AWSRequestFailure(err); ok && reqErr.StatusCode() == 404 { - return nil, ackerr.NotFound - } - if awsErr, ok := ackerr.AWSError(err); ok && awsErr.Code() == "UNKNOWN" { + var awsErr smithy.APIError + if errors.As(err, &awsErr) && awsErr.ErrorCode() == "ResourceNotFoundException" { return nil, ackerr.NotFound } return nil, err @@ -101,8 +101,8 @@ func (rm *resourceManager) sdkFind( if dvsiter.ResourceRecord.Name != nil { dvselem.ResourceRecord.Name = dvsiter.ResourceRecord.Name } - if dvsiter.ResourceRecord.Type != nil { - dvselem.ResourceRecord.Type = dvsiter.ResourceRecord.Type + if dvsiter.ResourceRecord.Type != "" { + dvselem.ResourceRecord.Type = aws.String(string(dvsiter.ResourceRecord.Type)) } if dvsiter.ResourceRecord.Value != nil { dvselem.ResourceRecord.Value = dvsiter.ResourceRecord.Value @@ -111,14 +111,14 @@ func (rm *resourceManager) sdkFind( if dvsiter.ValidationDomain != nil { dvselem.ValidationDomain = dvsiter.ValidationDomain } - if dvsiter.ValidationEmails != nil { - dvselem.ValidationEmails = dvsiter.ValidationEmails + for _, ve := range dvsiter.ValidationEmails { + dvselem.ValidationEmails = append(dvselem.ValidationEmails, &ve) } - if dvsiter.ValidationMethod != nil { - dvselem.ValidationMethod = dvsiter.ValidationMethod + if dvsiter.ValidationMethod != "" { + dvselem.ValidationMethod = aws.String(string(dvsiter.ValidationMethod)) } - if dvsiter.ValidationStatus != nil { - dvselem.ValidationStatus = dvsiter.ValidationStatus + if dvsiter.ValidationStatus != "" { + dvselem.ValidationStatus = aws.String(string(dvsiter.ValidationStatus)) } dvs = append(dvs, dvselem) } @@ -176,8 +176,8 @@ func (rm *resourceManager) sdkFind( f5 := []*svcapitypes.ExtendedKeyUsage{} for _, f5iter := range resp.Certificate.ExtendedKeyUsages { f5elem := &svcapitypes.ExtendedKeyUsage{} - if f5iter.Name != nil { - f5elem.Name = f5iter.Name + if f5iter.Name != "" { + f5elem.Name = aws.String(string(f5iter.Name)) } if f5iter.OID != nil { f5elem.OID = f5iter.OID @@ -188,8 +188,8 @@ func (rm *resourceManager) sdkFind( } else { ko.Status.ExtendedKeyUsages = nil } - if resp.Certificate.FailureReason != nil { - ko.Status.FailureReason = resp.Certificate.FailureReason + if resp.Certificate.FailureReason != "" { + ko.Status.FailureReason = aws.String(string(resp.Certificate.FailureReason)) } else { ko.Status.FailureReason = nil } @@ -199,13 +199,7 @@ func (rm *resourceManager) sdkFind( ko.Status.ImportedAt = nil } if resp.Certificate.InUseBy != nil { - f8 := []*string{} - for _, f8iter := range resp.Certificate.InUseBy { - var f8elem string - f8elem = *f8iter - f8 = append(f8, &f8elem) - } - ko.Status.InUseBy = f8 + ko.Status.InUseBy = aws.StringSlice(resp.Certificate.InUseBy) } else { ko.Status.InUseBy = nil } @@ -219,8 +213,8 @@ func (rm *resourceManager) sdkFind( } else { ko.Status.Issuer = nil } - if resp.Certificate.KeyAlgorithm != nil { - ko.Spec.KeyAlgorithm = resp.Certificate.KeyAlgorithm + if resp.Certificate.KeyAlgorithm != "" { + ko.Spec.KeyAlgorithm = aws.String(string(resp.Certificate.KeyAlgorithm)) } else { ko.Spec.KeyAlgorithm = nil } @@ -228,8 +222,8 @@ func (rm *resourceManager) sdkFind( f12 := []*svcapitypes.KeyUsage{} for _, f12iter := range resp.Certificate.KeyUsages { f12elem := &svcapitypes.KeyUsage{} - if f12iter.Name != nil { - f12elem.Name = f12iter.Name + if f12iter.Name != "" { + f12elem.Name = aws.String(string(f12iter.Name)) } f12 = append(f12, f12elem) } @@ -249,15 +243,15 @@ func (rm *resourceManager) sdkFind( } if resp.Certificate.Options != nil { f15 := &svcapitypes.CertificateOptions{} - if resp.Certificate.Options.CertificateTransparencyLoggingPreference != nil { - f15.CertificateTransparencyLoggingPreference = resp.Certificate.Options.CertificateTransparencyLoggingPreference + if resp.Certificate.Options.CertificateTransparencyLoggingPreference != "" { + f15.CertificateTransparencyLoggingPreference = aws.String(string(resp.Certificate.Options.CertificateTransparencyLoggingPreference)) } ko.Spec.Options = f15 } else { ko.Spec.Options = nil } - if resp.Certificate.RenewalEligibility != nil { - ko.Status.RenewalEligibility = resp.Certificate.RenewalEligibility + if resp.Certificate.RenewalEligibility != "" { + ko.Status.RenewalEligibility = aws.String(string(resp.Certificate.RenewalEligibility)) } else { ko.Status.RenewalEligibility = nil } @@ -275,8 +269,8 @@ func (rm *resourceManager) sdkFind( if f17f0iter.ResourceRecord.Name != nil { f17f0elemf1.Name = f17f0iter.ResourceRecord.Name } - if f17f0iter.ResourceRecord.Type != nil { - f17f0elemf1.Type = f17f0iter.ResourceRecord.Type + if f17f0iter.ResourceRecord.Type != "" { + f17f0elemf1.Type = aws.String(string(f17f0iter.ResourceRecord.Type)) } if f17f0iter.ResourceRecord.Value != nil { f17f0elemf1.Value = f17f0iter.ResourceRecord.Value @@ -287,29 +281,23 @@ func (rm *resourceManager) sdkFind( f17f0elem.ValidationDomain = f17f0iter.ValidationDomain } if f17f0iter.ValidationEmails != nil { - f17f0elemf3 := []*string{} - for _, f17f0elemf3iter := range f17f0iter.ValidationEmails { - var f17f0elemf3elem string - f17f0elemf3elem = *f17f0elemf3iter - f17f0elemf3 = append(f17f0elemf3, &f17f0elemf3elem) - } - f17f0elem.ValidationEmails = f17f0elemf3 + f17f0elem.ValidationEmails = aws.StringSlice(f17f0iter.ValidationEmails) } - if f17f0iter.ValidationMethod != nil { - f17f0elem.ValidationMethod = f17f0iter.ValidationMethod + if f17f0iter.ValidationMethod != "" { + f17f0elem.ValidationMethod = aws.String(string(f17f0iter.ValidationMethod)) } - if f17f0iter.ValidationStatus != nil { - f17f0elem.ValidationStatus = f17f0iter.ValidationStatus + if f17f0iter.ValidationStatus != "" { + f17f0elem.ValidationStatus = aws.String(string(f17f0iter.ValidationStatus)) } f17f0 = append(f17f0, f17f0elem) } f17.DomainValidationOptions = f17f0 } - if resp.Certificate.RenewalSummary.RenewalStatus != nil { - f17.RenewalStatus = resp.Certificate.RenewalSummary.RenewalStatus + if resp.Certificate.RenewalSummary.RenewalStatus != "" { + f17.RenewalStatus = aws.String(string(resp.Certificate.RenewalSummary.RenewalStatus)) } - if resp.Certificate.RenewalSummary.RenewalStatusReason != nil { - f17.RenewalStatusReason = resp.Certificate.RenewalSummary.RenewalStatusReason + if resp.Certificate.RenewalSummary.RenewalStatusReason != "" { + f17.RenewalStatusReason = aws.String(string(resp.Certificate.RenewalSummary.RenewalStatusReason)) } if resp.Certificate.RenewalSummary.UpdatedAt != nil { f17.UpdatedAt = &metav1.Time{*resp.Certificate.RenewalSummary.UpdatedAt} @@ -318,8 +306,8 @@ func (rm *resourceManager) sdkFind( } else { ko.Status.RenewalSummary = nil } - if resp.Certificate.RevocationReason != nil { - ko.Status.RevocationReason = resp.Certificate.RevocationReason + if resp.Certificate.RevocationReason != "" { + ko.Status.RevocationReason = aws.String(string(resp.Certificate.RevocationReason)) } else { ko.Status.RevocationReason = nil } @@ -338,8 +326,8 @@ func (rm *resourceManager) sdkFind( } else { ko.Status.SignatureAlgorithm = nil } - if resp.Certificate.Status != nil { - ko.Status.Status = resp.Certificate.Status + if resp.Certificate.Status != "" { + ko.Status.Status = aws.String(string(resp.Certificate.Status)) } else { ko.Status.Status = nil } @@ -349,18 +337,12 @@ func (rm *resourceManager) sdkFind( ko.Status.Subject = nil } if resp.Certificate.SubjectAlternativeNames != nil { - f24 := []*string{} - for _, f24iter := range resp.Certificate.SubjectAlternativeNames { - var f24elem string - f24elem = *f24iter - f24 = append(f24, &f24elem) - } - ko.Spec.SubjectAlternativeNames = f24 + ko.Spec.SubjectAlternativeNames = aws.StringSlice(resp.Certificate.SubjectAlternativeNames) } else { ko.Spec.SubjectAlternativeNames = nil } - if resp.Certificate.Type != nil { - ko.Status.Type = resp.Certificate.Type + if resp.Certificate.Type != "" { + ko.Status.Type = aws.String(string(resp.Certificate.Type)) } else { ko.Status.Type = nil } @@ -387,7 +369,7 @@ func (rm *resourceManager) newDescribeRequestPayload( res := &svcsdk.DescribeCertificateInput{} if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { - res.SetCertificateArn(string(*r.ko.Status.ACKResourceMetadata.ARN)) + res.CertificateArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) } return res, nil @@ -420,11 +402,11 @@ func (rm *resourceManager) sdkCreate( if err != nil { return nil, err } - input.SetValidationMethod("DNS") + input.ValidationMethod = "DNS" var resp *svcsdk.RequestCertificateOutput _ = resp - resp, err = rm.sdkapi.RequestCertificateWithContext(ctx, input) + resp, err = rm.sdkapi.RequestCertificate(ctx, input) rm.metrics.RecordAPICall("CREATE", "RequestCertificate", err) if err != nil { return nil, err @@ -454,57 +436,51 @@ func (rm *resourceManager) newCreateRequestPayload( res := &svcsdk.RequestCertificateInput{} if r.ko.Spec.CertificateAuthorityARN != nil { - res.SetCertificateAuthorityArn(*r.ko.Spec.CertificateAuthorityARN) + res.CertificateAuthorityArn = r.ko.Spec.CertificateAuthorityARN } if r.ko.Spec.DomainName != nil { - res.SetDomainName(*r.ko.Spec.DomainName) + res.DomainName = r.ko.Spec.DomainName } if r.ko.Spec.DomainValidationOptions != nil { - f2 := []*svcsdk.DomainValidationOption{} + f2 := []svcsdktypes.DomainValidationOption{} for _, f2iter := range r.ko.Spec.DomainValidationOptions { - f2elem := &svcsdk.DomainValidationOption{} + f2elem := &svcsdktypes.DomainValidationOption{} if f2iter.DomainName != nil { - f2elem.SetDomainName(*f2iter.DomainName) + f2elem.DomainName = f2iter.DomainName } if f2iter.ValidationDomain != nil { - f2elem.SetValidationDomain(*f2iter.ValidationDomain) + f2elem.ValidationDomain = f2iter.ValidationDomain } - f2 = append(f2, f2elem) + f2 = append(f2, *f2elem) } - res.SetDomainValidationOptions(f2) + res.DomainValidationOptions = f2 } if r.ko.Spec.KeyAlgorithm != nil { - res.SetKeyAlgorithm(*r.ko.Spec.KeyAlgorithm) + res.KeyAlgorithm = svcsdktypes.KeyAlgorithm(*r.ko.Spec.KeyAlgorithm) } if r.ko.Spec.Options != nil { - f4 := &svcsdk.CertificateOptions{} + f4 := &svcsdktypes.CertificateOptions{} if r.ko.Spec.Options.CertificateTransparencyLoggingPreference != nil { - f4.SetCertificateTransparencyLoggingPreference(*r.ko.Spec.Options.CertificateTransparencyLoggingPreference) + f4.CertificateTransparencyLoggingPreference = svcsdktypes.CertificateTransparencyLoggingPreference(*r.ko.Spec.Options.CertificateTransparencyLoggingPreference) } - res.SetOptions(f4) + res.Options = f4 } if r.ko.Spec.SubjectAlternativeNames != nil { - f5 := []*string{} - for _, f5iter := range r.ko.Spec.SubjectAlternativeNames { - var f5elem string - f5elem = *f5iter - f5 = append(f5, &f5elem) - } - res.SetSubjectAlternativeNames(f5) + res.SubjectAlternativeNames = aws.ToStringSlice(r.ko.Spec.SubjectAlternativeNames) } if r.ko.Spec.Tags != nil { - f6 := []*svcsdk.Tag{} + f6 := []svcsdktypes.Tag{} for _, f6iter := range r.ko.Spec.Tags { - f6elem := &svcsdk.Tag{} + f6elem := &svcsdktypes.Tag{} if f6iter.Key != nil { - f6elem.SetKey(*f6iter.Key) + f6elem.Key = f6iter.Key } if f6iter.Value != nil { - f6elem.SetValue(*f6iter.Value) + f6elem.Value = f6iter.Value } - f6 = append(f6, f6elem) + f6 = append(f6, *f6elem) } - res.SetTags(f6) + res.Tags = f6 } return res, nil @@ -553,7 +529,7 @@ func (rm *resourceManager) sdkUpdate( var resp *svcsdk.UpdateCertificateOptionsOutput _ = resp - resp, err = rm.sdkapi.UpdateCertificateOptionsWithContext(ctx, input) + resp, err = rm.sdkapi.UpdateCertificateOptions(ctx, input) rm.metrics.RecordAPICall("UPDATE", "UpdateCertificateOptions", err) if err != nil { return nil, err @@ -576,14 +552,14 @@ func (rm *resourceManager) newUpdateRequestPayload( res := &svcsdk.UpdateCertificateOptionsInput{} if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { - res.SetCertificateArn(string(*r.ko.Status.ACKResourceMetadata.ARN)) + res.CertificateArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) } if r.ko.Spec.Options != nil { - f1 := &svcsdk.CertificateOptions{} + f1 := &svcsdktypes.CertificateOptions{} if r.ko.Spec.Options.CertificateTransparencyLoggingPreference != nil { - f1.SetCertificateTransparencyLoggingPreference(*r.ko.Spec.Options.CertificateTransparencyLoggingPreference) + f1.CertificateTransparencyLoggingPreference = svcsdktypes.CertificateTransparencyLoggingPreference(*r.ko.Spec.Options.CertificateTransparencyLoggingPreference) } - res.SetOptions(f1) + res.Options = f1 } return res, nil @@ -605,7 +581,7 @@ func (rm *resourceManager) sdkDelete( } var resp *svcsdk.DeleteCertificateOutput _ = resp - resp, err = rm.sdkapi.DeleteCertificateWithContext(ctx, input) + resp, err = rm.sdkapi.DeleteCertificate(ctx, input) rm.metrics.RecordAPICall("DELETE", "DeleteCertificate", err) return nil, err } @@ -618,7 +594,7 @@ func (rm *resourceManager) newDeleteRequestPayload( res := &svcsdk.DeleteCertificateInput{} if r.ko.Status.ACKResourceMetadata != nil && r.ko.Status.ACKResourceMetadata.ARN != nil { - res.SetCertificateArn(string(*r.ko.Status.ACKResourceMetadata.ARN)) + res.CertificateArn = (*string)(r.ko.Status.ACKResourceMetadata.ARN) } return res, nil @@ -731,12 +707,13 @@ func (rm *resourceManager) terminalAWSError(err error) bool { if err == nil { return false } - awsErr, ok := ackerr.AWSError(err) - if !ok { + + var terminalErr smithy.APIError + if !errors.As(err, &terminalErr) { return false } - switch awsErr.Code() { - case "InvalidParameter", + switch terminalErr.ErrorCode() { + case "InvalidParameterException", "InvalidDomainValidationOptionsException", "InvalidTagException", "TagPolicyException", @@ -780,30 +757,30 @@ func (rm *resourceManager) newImportCertificateInput( ) (*svcsdk.ImportCertificateInput, error) { input := &importCertificateInput{ImportCertificateInput: &svcsdk.ImportCertificateInput{}} if r.ko.Spec.Certificate != nil { - input.SetCertificate(r.ko.Spec.Certificate) + input.Certificate = r.ko.Spec.Certificate } if r.ko.Spec.CertificateARN != nil { - input.SetCertificateArn(*r.ko.Spec.CertificateARN) + input.CertificateArn = r.ko.Spec.CertificateARN } if r.ko.Spec.CertificateChain != nil { - input.SetCertificateChain(r.ko.Spec.CertificateChain) + input.CertificateChain = r.ko.Spec.CertificateChain } if r.ko.Spec.PrivateKey != nil { - input.SetPrivateKey(r.ko.Spec.PrivateKey) + input.PrivateKey = r.ko.Spec.PrivateKey } if r.ko.Spec.Tags != nil { - inputf4 := []*svcsdk.Tag{} + inputf4 := []svcsdktypes.Tag{} for _, inputf4iter := range r.ko.Spec.Tags { - inputf4elem := &svcsdk.Tag{} + inputf4elem := &svcsdktypes.Tag{} if inputf4iter.Key != nil { - inputf4elem.SetKey(*inputf4iter.Key) + inputf4elem.Key = inputf4iter.Key } if inputf4iter.Value != nil { - inputf4elem.SetValue(*inputf4iter.Value) + inputf4elem.Value = inputf4iter.Value } - inputf4 = append(inputf4, inputf4elem) + inputf4 = append(inputf4, *inputf4elem) } - input.SetTags(inputf4) + input.Tags = inputf4 } { @@ -812,7 +789,7 @@ func (rm *resourceManager) newImportCertificateInput( return nil, ackrequeue.Needed(err) } if tmpSecret != "" { - input.PrivateKey = []byte(tmpSecret) + input.ImportCertificateInput.PrivateKey = []byte(tmpSecret) } } @@ -822,7 +799,7 @@ func (rm *resourceManager) newImportCertificateInput( return nil, ackrequeue.Needed(err) } if tmpSecret != "" { - input.Certificate = []byte(tmpSecret) + input.ImportCertificateInput.Certificate = []byte(tmpSecret) } } @@ -832,7 +809,7 @@ func (rm *resourceManager) newImportCertificateInput( return nil, ackrequeue.Needed(err) } if tmpSecret != "" { - input.CertificateChain = []byte(tmpSecret) + input.ImportCertificateInput.CertificateChain = []byte(tmpSecret) } } diff --git a/pkg/tags/sync.go b/pkg/tags/sync.go index 09cf0ef..1e03374 100644 --- a/pkg/tags/sync.go +++ b/pkg/tags/sync.go @@ -19,8 +19,8 @@ import ( "github.com/aws-controllers-k8s/acm-controller/apis/v1alpha1" ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log" - "github.com/aws/aws-sdk-go/aws/request" - svcsdk "github.com/aws/aws-sdk-go/service/acm" + svcsdk "github.com/aws/aws-sdk-go-v2/service/acm" + svcsdktypes "github.com/aws/aws-sdk-go-v2/service/acm/types" ) type metricsRecorder interface { @@ -28,9 +28,9 @@ type metricsRecorder interface { } type tagsClient interface { - AddTagsToCertificateWithContext(context.Context, *svcsdk.AddTagsToCertificateInput, ...request.Option) (*svcsdk.AddTagsToCertificateOutput, error) - ListTagsForCertificateWithContext(context.Context, *svcsdk.ListTagsForCertificateInput, ...request.Option) (*svcsdk.ListTagsForCertificateOutput, error) - RemoveTagsFromCertificateWithContext(context.Context, *svcsdk.RemoveTagsFromCertificateInput, ...request.Option) (*svcsdk.RemoveTagsFromCertificateOutput, error) + AddTagsToCertificate(context.Context, *svcsdk.AddTagsToCertificateInput, ...func(*svcsdk.Options)) (*svcsdk.AddTagsToCertificateOutput, error) + ListTagsForCertificate(context.Context, *svcsdk.ListTagsForCertificateInput, ...func(*svcsdk.Options)) (*svcsdk.ListTagsForCertificateOutput, error) + RemoveTagsFromCertificate(context.Context, *svcsdk.RemoveTagsFromCertificateInput, ...func(*svcsdk.Options)) (*svcsdk.RemoveTagsFromCertificateOutput, error) } // syncTags examines the Tags in the supplied Resource and calls the @@ -116,10 +116,10 @@ func addTags( exit := rlog.Trace("rm.addTag") defer func() { exit(err) }() - sdkTags := []*svcsdk.Tag{} + sdkTags := []svcsdktypes.Tag{} for k, v := range tags { k := k - sdkTags = append(sdkTags, &svcsdk.Tag{ + sdkTags = append(sdkTags, svcsdktypes.Tag{ Key: &k, Value: v, }) @@ -130,7 +130,7 @@ func addTags( Tags: sdkTags, } - _, err = client.AddTagsToCertificateWithContext(ctx, input) + _, err = client.AddTagsToCertificate(ctx, input) mr.RecordAPICall("UPDATE", "AddTagsToCertificate", err) return err } @@ -147,10 +147,10 @@ func removeTags( exit := rlog.Trace("rm.removeTag") defer func() { exit(err) }() - sdkTags := []*svcsdk.Tag{} + sdkTags := []svcsdktypes.Tag{} for k, v := range tags { k := k - sdkTags = append(sdkTags, &svcsdk.Tag{ + sdkTags = append(sdkTags, svcsdktypes.Tag{ Key: &k, Value: v, }) @@ -160,7 +160,7 @@ func removeTags( CertificateArn: &resourceARN, Tags: sdkTags, } - _, err = client.RemoveTagsFromCertificateWithContext(ctx, input) + _, err = client.RemoveTagsFromCertificate(ctx, input) mr.RecordAPICall("UPDATE", "RemoveTagsFromCertificate", err) return err } @@ -178,7 +178,7 @@ func ListTags( defer exit(err) var listTagsOfResourceOutput *svcsdk.ListTagsForCertificateOutput - listTagsOfResourceOutput, err = client.ListTagsForCertificateWithContext( + listTagsOfResourceOutput, err = client.ListTagsForCertificate( ctx, &svcsdk.ListTagsForCertificateInput{ CertificateArn: &resourceARN, @@ -192,7 +192,7 @@ func ListTags( } // resourceTagsFromSDKTags transforms a *svcsdk.Tag array to a *v1alpha1.Tag array. -func resourceTagsFromSDKTags(svcTags []*svcsdk.Tag) []*v1alpha1.Tag { +func resourceTagsFromSDKTags(svcTags []svcsdktypes.Tag) []*v1alpha1.Tag { tags := make([]*v1alpha1.Tag, len(svcTags)) for i := range svcTags { tags[i] = &v1alpha1.Tag{ diff --git a/templates/hooks/certificate/sdk_file_end.go.tpl b/templates/hooks/certificate/sdk_file_end.go.tpl index b163a82..c29c10a 100644 --- a/templates/hooks/certificate/sdk_file_end.go.tpl +++ b/templates/hooks/certificate/sdk_file_end.go.tpl @@ -31,7 +31,7 @@ func (rm *resourceManager) new{{ $inputShapeName }}( return nil, ackrequeue.Needed(err) } if tmpSecret != "" { - input.{{$fieldName}} = []byte(tmpSecret) + input.ImportCertificateInput.{{$fieldName}} = []byte(tmpSecret) } } {{end}} diff --git a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl index cba5644..b61ff49 100644 --- a/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl +++ b/templates/hooks/certificate/sdk_read_one_pre_set_output.go.tpl @@ -10,8 +10,8 @@ if dvsiter.ResourceRecord.Name != nil { dvselem.ResourceRecord.Name = dvsiter.ResourceRecord.Name } - if dvsiter.ResourceRecord.Type != nil { - dvselem.ResourceRecord.Type = dvsiter.ResourceRecord.Type + if dvsiter.ResourceRecord.Type != "" { + dvselem.ResourceRecord.Type = aws.String(string(dvsiter.ResourceRecord.Type)) } if dvsiter.ResourceRecord.Value != nil { dvselem.ResourceRecord.Value = dvsiter.ResourceRecord.Value @@ -20,14 +20,14 @@ if dvsiter.ValidationDomain != nil { dvselem.ValidationDomain = dvsiter.ValidationDomain } - if dvsiter.ValidationEmails != nil { - dvselem.ValidationEmails = dvsiter.ValidationEmails + for _, ve := range dvsiter.ValidationEmails { + dvselem.ValidationEmails = append(dvselem.ValidationEmails, &ve) } - if dvsiter.ValidationMethod != nil { - dvselem.ValidationMethod = dvsiter.ValidationMethod + if dvsiter.ValidationMethod != "" { + dvselem.ValidationMethod = aws.String(string(dvsiter.ValidationMethod)) } - if dvsiter.ValidationStatus != nil { - dvselem.ValidationStatus = dvsiter.ValidationStatus + if dvsiter.ValidationStatus != "" { + dvselem.ValidationStatus = aws.String(string(dvsiter.ValidationStatus)) } dvs = append(dvs, dvselem) }