diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 8d42832..3d9085b 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,8 +1,8 @@ ack_generate_info: - build_date: "2025-02-06T03:23:52Z" - build_hash: 8762917215d9902b2011a2b0b1b0c776855a683e - go_version: go1.23.5 - version: v0.42.0 + build_date: "2025-02-18T01:07:06Z" + build_hash: 66c0f840b0bcf6f552be46cf5ee0fb95ad57053e + go_version: go1.23.6 + version: v0.43.0 api_directory_checksum: 78a5d23ba8b0c12225d1afd2506d5524d9a7aa68 api_version: v1alpha1 aws_sdk_go_version: v1.32.6 diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 2ff9bb9..0702d33 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/acm-controller - newTag: 1.0.3 + newTag: 1.0.4 diff --git a/go.mod b/go.mod index f749f53..9d9aa1b 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ toolchain go1.22.5 require ( github.com/aws-controllers-k8s/acmpca-controller v0.0.17 - github.com/aws-controllers-k8s/runtime v0.42.0 + github.com/aws-controllers-k8s/runtime v0.43.0 github.com/aws/aws-sdk-go v1.49.6 github.com/aws/aws-sdk-go-v2 v1.34.0 github.com/aws/aws-sdk-go-v2/service/acm v1.30.14 diff --git a/go.sum b/go.sum index 59f7fba..3d9f964 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/aws-controllers-k8s/acmpca-controller v0.0.17 h1:i1YyvDui8LNbwLwkXsr+jVoyCP49+ie4CZq1RRq7Tz0= github.com/aws-controllers-k8s/acmpca-controller v0.0.17/go.mod h1:BaLyCLbP5GibqqT4qANmDxAX3CYHatA+dQNFe5fOk+M= -github.com/aws-controllers-k8s/runtime v0.42.0 h1:fVb3cOwUtn0ZwTSedapES+Rspb97S8BTxMqXJt6R5uM= -github.com/aws-controllers-k8s/runtime v0.42.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c= +github.com/aws-controllers-k8s/runtime v0.43.0 h1:mCtMHO0rew84VbqotquvBirnKysbao+y2G3QI8bKZxM= +github.com/aws-controllers-k8s/runtime v0.43.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c= github.com/aws/aws-sdk-go v1.49.6 h1:yNldzF5kzLBRvKlKz1S0bkvc2+04R1kt13KfBWQBfFA= github.com/aws/aws-sdk-go v1.49.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU= diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 2e8b84f..3b3710f 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: acm-chart description: A Helm chart for the ACK service controller for AWS Certificate Manager (ACM) -version: 1.0.3 -appVersion: 1.0.3 +version: 1.0.4 +appVersion: 1.0.4 home: https://github.com/aws-controllers-k8s/acm-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 3c4acd3..838e202 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.0.3". +This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.0.4". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/values.yaml b/helm/values.yaml index b2ac1a4..3aceac5 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/acm-controller - tag: 1.0.3 + tag: 1.0.4 pullPolicy: IfNotPresent pullSecrets: [] diff --git a/pkg/resource/certificate/manager.go b/pkg/resource/certificate/manager.go index 034f959..33a64f7 100644 --- a/pkg/resource/certificate/manager.go +++ b/pkg/resource/certificate/manager.go @@ -102,6 +102,7 @@ func (rm *resourceManager) ReadOne( panic("resource manager's ReadOne() method received resource with nil CR object") } observed, err := rm.sdkFind(ctx, r) + mirrorAWSTags(r, observed) if err != nil { if observed != nil { return rm.onError(observed, err) @@ -322,6 +323,49 @@ func (rm *resourceManager) EnsureTags( return nil } +// FilterAWSTags ignores tags that have keys that start with "aws:" +// is needed to ensure the controller does not attempt to remove +// tags set by AWS. This function needs to be called after each Read +// operation. +// Eg. resources created with cloudformation have tags that cannot be +// removed by an ACK controller +func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) { + r := rm.concreteResource(res) + if r == nil || r.ko == nil { + return + } + var existingTags []*svcapitypes.Tag + existingTags = r.ko.Spec.Tags + resourceTags := ToACKTags(existingTags) + ignoreSystemTags(resourceTags) + r.ko.Spec.Tags = FromACKTags(resourceTags) +} + +// mirrorAWSTags ensures that AWS tags are included in the desired resource +// if they are present in the latest resource. This will ensure that the +// aws tags are not present in a diff. The logic of the controller will +// ensure these tags aren't patched to the resource in the cluster, and +// will only be present to make sure we don't try to remove these tags. +// +// Although there are a lot of similarities between this function and +// EnsureTags, they are very much different. +// While EnsureTags tries to make sure the resource contains the controller +// tags, mirrowAWSTags tries to make sure tags injected by AWS are mirrored +// from the latest resoruce to the desired resource. +func mirrorAWSTags(a *resource, b *resource) { + if a == nil || a.ko == nil || b == nil || b.ko == nil { + return + } + var existingLatestTags []*svcapitypes.Tag + var existingDesiredTags []*svcapitypes.Tag + existingDesiredTags = a.ko.Spec.Tags + existingLatestTags = b.ko.Spec.Tags + desiredTags := ToACKTags(existingDesiredTags) + latestTags := ToACKTags(existingLatestTags) + syncAWSTags(desiredTags, latestTags) + a.ko.Spec.Tags = FromACKTags(desiredTags) +} + // newResourceManager returns a new struct implementing // acktypes.AWSResourceManager // This is for AWS-SDK-GO-V2 - Created newResourceManager With AWS sdk-Go-ClientV2 diff --git a/pkg/resource/certificate/tags.go b/pkg/resource/certificate/tags.go index aa1b937..c3a53a6 100644 --- a/pkg/resource/certificate/tags.go +++ b/pkg/resource/certificate/tags.go @@ -16,14 +16,18 @@ package certificate import ( + "slices" + "strings" + acktags "github.com/aws-controllers-k8s/runtime/pkg/tags" svcapitypes "github.com/aws-controllers-k8s/acm-controller/apis/v1alpha1" ) var ( - _ = svcapitypes.Certificate{} - _ = acktags.NewTags() + _ = svcapitypes.Certificate{} + _ = acktags.NewTags() + ACKSystemTags = []string{"services.k8s.aws/namespace", "services.k8s.aws/controller-version"} ) // ToACKTags converts the tags parameter into 'acktags.Tags' shape. @@ -61,3 +65,43 @@ func FromACKTags(tags acktags.Tags) []*svcapitypes.Tag { } return result } + +// ignoreSystemTags ignores tags that have keys that start with "aws:" +// and ACKSystemTags, to avoid patching them to the resourceSpec. +// Eg. resources created with cloudformation have tags that cannot be +// removed by an ACK controller +func ignoreSystemTags(tags acktags.Tags) { + for k := range tags { + if strings.HasPrefix(k, "aws:") || + slices.Contains(ACKSystemTags, k) { + delete(tags, k) + } + } +} + +// syncAWSTags ensures AWS-managed tags (prefixed with "aws:") from the latest resource state +// are preserved in the desired state. This prevents the controller from attempting to +// modify AWS-managed tags, which would result in an error. +// +// AWS-managed tags are automatically added by AWS services (e.g., CloudFormation, Service Catalog) +// and cannot be modified or deleted through normal tag operations. Common examples include: +// - aws:cloudformation:stack-name +// - aws:servicecatalog:productArn +// +// Parameters: +// - a: The target Tags map to be updated (typically desired state) +// - b: The source Tags map containing AWS-managed tags (typically latest state) +// +// Example: +// +// latest := Tags{"aws:cloudformation:stack-name": "my-stack", "environment": "prod"} +// desired := Tags{"environment": "dev"} +// SyncAWSTags(desired, latest) +// desired now contains {"aws:cloudformation:stack-name": "my-stack", "environment": "dev"} +func syncAWSTags(a acktags.Tags, b acktags.Tags) { + for k := range b { + if strings.HasPrefix(k, "aws:") { + a[k] = b[k] + } + } +}