diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml index 3d9085b..934c05d 100755 --- a/apis/v1alpha1/ack-generate-metadata.yaml +++ b/apis/v1alpha1/ack-generate-metadata.yaml @@ -1,9 +1,9 @@ ack_generate_info: - build_date: "2025-02-18T01:07:06Z" - build_hash: 66c0f840b0bcf6f552be46cf5ee0fb95ad57053e - go_version: go1.23.6 - version: v0.43.0 -api_directory_checksum: 78a5d23ba8b0c12225d1afd2506d5524d9a7aa68 + build_date: "2025-02-19T23:31:41Z" + build_hash: 8b426c490ff1984d8ce5577e11d6dabe1b6373b8 + go_version: go1.24.0 + version: v0.43.1 +api_directory_checksum: d47552708cce6913653d845ed96e31d27957b6ad api_version: v1alpha1 aws_sdk_go_version: v1.32.6 generator_config_info: diff --git a/apis/v1alpha1/certificate.go b/apis/v1alpha1/certificate.go index 93455ab..6b4388f 100644 --- a/apis/v1alpha1/certificate.go +++ b/apis/v1alpha1/certificate.go @@ -25,9 +25,15 @@ type CertificateSpec struct { // The Certificate to import into AWS Certificate Manager (ACM) to use with services that are integrated with ACM. // This field is only valid when importing an existing certificate into ACM. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + Certificate *ackv1alpha1.SecretKeyReference `json:"certificate,omitempty"` // The Amazon Resource Name (ARN) of an imported certificate to replace. This field is only valid when importing // an existing certificate into ACM. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + CertificateARN *string `json:"certificateARN,omitempty"` // The Amazon Resource Name (ARN) of the private certificate authority (CA) // that will be used to issue the certificate. If you do not provide an ARN @@ -37,9 +43,16 @@ type CertificateSpec struct { // user guide. The ARN must have the following form: // // arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 - CertificateAuthorityARN *string `json:"certificateAuthorityARN,omitempty"` + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + + CertificateAuthorityARN *string `json:"certificateAuthorityARN,omitempty"` + CertificateAuthorityRef *ackv1alpha1.AWSResourceReferenceWrapper `json:"certificateAuthorityRef,omitempty"` - CertificateChain *ackv1alpha1.SecretKeyReference `json:"certificateChain,omitempty"` + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + + CertificateChain *ackv1alpha1.SecretKeyReference `json:"certificateChain,omitempty"` // Fully qualified domain name (FQDN), such as www.example.com, that you want // to secure with an ACM certificate. Use an asterisk (*) to create a wildcard // certificate that protects several sites in the same domain. For example, @@ -50,9 +63,11 @@ type CertificateSpec struct { // cannot exceed 64 octets (characters), including periods. To add a longer // domain name, specify it in the Subject Alternative Name field, which supports // names up to 253 octets in length. + DomainName *string `json:"domainName,omitempty"` // The domain name that you want ACM to use to send you emails so that you can // validate domain ownership. + DomainValidationOptions []*DomainValidationOption `json:"domainValidationOptions,omitempty"` // Specifies the algorithm of the public and private key pair that your certificate // uses to encrypt data. RSA is the default key algorithm for ACM certificates. @@ -67,11 +82,11 @@ type CertificateSpec struct { // // Algorithms supported for an ACM certificate request include: // - // - RSA_2048 + // * RSA_2048 // - // - EC_prime256v1 + // * EC_prime256v1 // - // - EC_secp384r1 + // * EC_secp384r1 // // Other listed algorithms are for imported certificates only. // @@ -80,6 +95,7 @@ type CertificateSpec struct { // must match the algorithm family of the CA's secret key. // // Default: RSA_2048 + KeyAlgorithm *string `json:"keyAlgorithm,omitempty"` // Currently, you can use this parameter to specify whether to add the certificate // to a certificate transparency log. Certificate transparency makes it possible @@ -87,9 +103,13 @@ type CertificateSpec struct { // Certificates that have not been logged typically produce an error message // in a browser. For more information, see Opting Out of Certificate Transparency // Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency). + Options *CertificateOptions `json:"options,omitempty"` // The private key that matches the public key in the certificate. This field is only valid when importing // an existing certificate into ACM. + + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable once set" + PrivateKey *ackv1alpha1.SecretKeyReference `json:"privateKey,omitempty"` // Additional FQDNs to be included in the Subject Alternative Name extension // of the ACM certificate. For example, add the name www.example.net to a certificate @@ -103,18 +123,20 @@ type CertificateSpec struct { // multiple labels separated by periods. No label can be longer than 63 octets. // Consider the following examples: // - // - (63 octets).(63 octets).(63 octets).(61 octets) is legal because the - // total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63 - // octets. + // * (63 octets).(63 octets).(63 octets).(61 octets) is legal because the + // total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63 + // octets. // - // - (64 octets).(63 octets).(63 octets).(61 octets) is not legal because - // the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first - // label exceeds 63 octets. + // * (64 octets).(63 octets).(63 octets).(61 octets) is not legal because + // the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first + // label exceeds 63 octets. // - // - (63 octets).(63 octets).(63 octets).(62 octets) is not legal because - // the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets. + // * (63 octets).(63 octets).(63 octets).(62 octets) is not legal because + // the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets. + SubjectAlternativeNames []*string `json:"subjectAlternativeNames,omitempty"` // One or more resource tags to associate with the certificate. + Tags []*Tag `json:"tags,omitempty"` } @@ -125,7 +147,7 @@ type CertificateStatus struct { // constructed ARN for the resource // +kubebuilder:validation:Optional ACKResourceMetadata *ackv1alpha1.ResourceMetadata `json:"ackResourceMetadata"` - // All CRS managed by ACK have a common `Status.Conditions` member that + // All CRs managed by ACK have a common `Status.Conditions` member that // contains a collection of `ackv1alpha1.Condition` objects that describe // the various terminal states of the CR and its backend AWS service API // resource diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml index 0702d33..ee8fdb4 100644 --- a/config/controller/kustomization.yaml +++ b/config/controller/kustomization.yaml @@ -6,4 +6,4 @@ kind: Kustomization images: - name: controller newName: public.ecr.aws/aws-controllers-k8s/acm-controller - newTag: 1.0.4 + newTag: 1.0.5 diff --git a/config/crd/bases/acm.services.k8s.aws_certificates.yaml b/config/crd/bases/acm.services.k8s.aws_certificates.yaml index b591a8f..ecfc921 100644 --- a/config/crd/bases/acm.services.k8s.aws_certificates.yaml +++ b/config/crd/bases/acm.services.k8s.aws_certificates.yaml @@ -41,8 +41,8 @@ spec: properties: certificate: description: |- - The Certificate to import into AWS Certificate Manager (ACM) to use with services that are integrated with ACM. - This field is only valid when importing an existing certificate into ACM. + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret properties: key: description: Key is the key within the secret @@ -59,22 +59,19 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateARN: - description: |- - The Amazon Resource Name (ARN) of an imported certificate to replace. This field is only valid when importing - an existing certificate into ACM. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateAuthorityARN: - description: |- - The Amazon Resource Name (ARN) of the private certificate authority (CA) - that will be used to issue the certificate. If you do not provide an ARN - and you are trying to request a private certificate, ACM will attempt to - issue a public certificate. For more information about private CAs, see the - Amazon Web Services Private Certificate Authority (https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html) - user guide. The ARN must have the following form: - - arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateAuthorityRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax @@ -112,23 +109,12 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf domainName: - description: |- - Fully qualified domain name (FQDN), such as www.example.com, that you want - to secure with an ACM certificate. Use an asterisk (*) to create a wildcard - certificate that protects several sites in the same domain. For example, - *.example.com protects www.example.com, site.example.com, and images.example.com. - - In compliance with RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280), - the length of the domain name (technically, the Common Name) that you provide - cannot exceed 64 octets (characters), including periods. To add a longer - domain name, specify it in the Subject Alternative Name field, which supports - names up to 253 octets in length. type: string domainValidationOptions: - description: |- - The domain name that you want ACM to use to send you emails so that you can - validate domain ownership. items: description: |- Contains information about the domain names that you want ACM to use to send @@ -141,50 +127,24 @@ spec: type: object type: array keyAlgorithm: - description: |- - Specifies the algorithm of the public and private key pair that your certificate - uses to encrypt data. RSA is the default key algorithm for ACM certificates. - Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering - security comparable to RSA keys but with greater computing efficiency. However, - ECDSA is not supported by all network clients. Some Amazon Web Services services - may require RSA keys, or only support ECDSA keys of a particular size, while - others allow the use of either RSA and ECDSA keys to ensure that compatibility - is not broken. Check the requirements for the Amazon Web Services service - where you plan to deploy your certificate. For more information about selecting - an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms). - - Algorithms supported for an ACM certificate request include: - - * RSA_2048 - - * EC_prime256v1 - - * EC_secp384r1 - - Other listed algorithms are for imported certificates only. - - When you request a private PKI certificate signed by a CA from Amazon Web - Services Private CA, the specified signing algorithm family (RSA or ECDSA) - must match the algorithm family of the CA's secret key. - - Default: RSA_2048 type: string options: description: |- - Currently, you can use this parameter to specify whether to add the certificate - to a certificate transparency log. Certificate transparency makes it possible - to detect SSL/TLS certificates that have been mistakenly or maliciously issued. - Certificates that have not been logged typically produce an error message - in a browser. For more information, see Opting Out of Certificate Transparency - Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency). + Structure that contains options for your certificate. Currently, you can + use this only to specify whether to opt in to or out of certificate transparency + logging. Some browsers require that public certificates issued for your domain + be recorded in a log. Certificates that are not logged typically generate + a browser error. Transparency makes it possible for you to detect SSL/TLS + certificates that have been mistakenly or maliciously issued for your domain. + For general information, see Certificate Transparency Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency). properties: certificateTransparencyLoggingPreference: type: string type: object privateKey: description: |- - The private key that matches the public key in the certificate. This field is only valid when importing - an existing certificate into ACM. + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret properties: key: description: Key is the key within the secret @@ -201,35 +161,14 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf subjectAlternativeNames: - description: |- - Additional FQDNs to be included in the Subject Alternative Name extension - of the ACM certificate. For example, add the name www.example.net to a certificate - for which the DomainName field is www.example.com if users can reach your - site by using either name. The maximum number of domain names that you can - add to an ACM certificate is 100. However, the initial quota is 10 domain - names. If you need more than 10 names, you must request a quota increase. - For more information, see Quotas (https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html). - - The maximum length of a SAN DNS name is 253 octets. The name is made up of - multiple labels separated by periods. No label can be longer than 63 octets. - Consider the following examples: - - * (63 octets).(63 octets).(63 octets).(61 octets) is legal because the - total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63 - octets. - - * (64 octets).(63 octets).(63 octets).(61 octets) is not legal because - the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first - label exceeds 63 octets. - - * (63 octets).(63 octets).(63 octets).(62 octets) is not legal because - the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets. items: type: string type: array tags: - description: One or more resource tags to associate with the certificate. items: description: A key-value pair that identifies or specifies metadata about an ACM resource. @@ -275,7 +214,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 3b3710f..7f4b5cb 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: acm-chart description: A Helm chart for the ACK service controller for AWS Certificate Manager (ACM) -version: 1.0.4 -appVersion: 1.0.4 +version: 1.0.5 +appVersion: 1.0.5 home: https://github.com/aws-controllers-k8s/acm-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/helm/crds/acm.services.k8s.aws_certificates.yaml b/helm/crds/acm.services.k8s.aws_certificates.yaml index 0b934fb..ecfc921 100644 --- a/helm/crds/acm.services.k8s.aws_certificates.yaml +++ b/helm/crds/acm.services.k8s.aws_certificates.yaml @@ -41,8 +41,8 @@ spec: properties: certificate: description: |- - The Certificate to import into AWS Certificate Manager (ACM) to use with services that are integrated with ACM. - This field is only valid when importing an existing certificate into ACM. + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret properties: key: description: Key is the key within the secret @@ -59,22 +59,19 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateARN: - description: |- - The Amazon Resource Name (ARN) of an imported certificate to replace. This field is only valid when importing - an existing certificate into ACM. type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateAuthorityARN: - description: |- - The Amazon Resource Name (ARN) of the private certificate authority (CA) - that will be used to issue the certificate. If you do not provide an ARN - and you are trying to request a private certificate, ACM will attempt to - issue a public certificate. For more information about private CAs, see the - Amazon Web Services Private Certificate Authority (https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html) - user guide. The ARN must have the following form: - - arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 type: string + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf certificateAuthorityRef: description: "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax @@ -112,23 +109,12 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf domainName: - description: |- - Fully qualified domain name (FQDN), such as www.example.com, that you want - to secure with an ACM certificate. Use an asterisk (*) to create a wildcard - certificate that protects several sites in the same domain. For example, - *.example.com protects www.example.com, site.example.com, and images.example.com. - - In compliance with RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280), - the length of the domain name (technically, the Common Name) that you provide - cannot exceed 64 octets (characters), including periods. To add a longer - domain name, specify it in the Subject Alternative Name field, which supports - names up to 253 octets in length. type: string domainValidationOptions: - description: |- - The domain name that you want ACM to use to send you emails so that you can - validate domain ownership. items: description: |- Contains information about the domain names that you want ACM to use to send @@ -141,50 +127,24 @@ spec: type: object type: array keyAlgorithm: - description: |- - Specifies the algorithm of the public and private key pair that your certificate - uses to encrypt data. RSA is the default key algorithm for ACM certificates. - Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering - security comparable to RSA keys but with greater computing efficiency. However, - ECDSA is not supported by all network clients. Some Amazon Web Services services - may require RSA keys, or only support ECDSA keys of a particular size, while - others allow the use of either RSA and ECDSA keys to ensure that compatibility - is not broken. Check the requirements for the Amazon Web Services service - where you plan to deploy your certificate. For more information about selecting - an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms). - - Algorithms supported for an ACM certificate request include: - - - RSA_2048 - - - EC_prime256v1 - - - EC_secp384r1 - - Other listed algorithms are for imported certificates only. - - When you request a private PKI certificate signed by a CA from Amazon Web - Services Private CA, the specified signing algorithm family (RSA or ECDSA) - must match the algorithm family of the CA's secret key. - - Default: RSA_2048 type: string options: description: |- - Currently, you can use this parameter to specify whether to add the certificate - to a certificate transparency log. Certificate transparency makes it possible - to detect SSL/TLS certificates that have been mistakenly or maliciously issued. - Certificates that have not been logged typically produce an error message - in a browser. For more information, see Opting Out of Certificate Transparency - Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency). + Structure that contains options for your certificate. Currently, you can + use this only to specify whether to opt in to or out of certificate transparency + logging. Some browsers require that public certificates issued for your domain + be recorded in a log. Certificates that are not logged typically generate + a browser error. Transparency makes it possible for you to detect SSL/TLS + certificates that have been mistakenly or maliciously issued for your domain. + For general information, see Certificate Transparency Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency). properties: certificateTransparencyLoggingPreference: type: string type: object privateKey: description: |- - The private key that matches the public key in the certificate. This field is only valid when importing - an existing certificate into ACM. + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret properties: key: description: Key is the key within the secret @@ -201,35 +161,14 @@ spec: - key type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: Value is immutable once set + rule: self == oldSelf subjectAlternativeNames: - description: |- - Additional FQDNs to be included in the Subject Alternative Name extension - of the ACM certificate. For example, add the name www.example.net to a certificate - for which the DomainName field is www.example.com if users can reach your - site by using either name. The maximum number of domain names that you can - add to an ACM certificate is 100. However, the initial quota is 10 domain - names. If you need more than 10 names, you must request a quota increase. - For more information, see Quotas (https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html). - - The maximum length of a SAN DNS name is 253 octets. The name is made up of - multiple labels separated by periods. No label can be longer than 63 octets. - Consider the following examples: - - - (63 octets).(63 octets).(63 octets).(61 octets) is legal because the - total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63 - octets. - - - (64 octets).(63 octets).(63 octets).(61 octets) is not legal because - the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first - label exceeds 63 octets. - - - (63 octets).(63 octets).(63 octets).(62 octets) is not legal because - the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets. items: type: string type: array tags: - description: One or more resource tags to associate with the certificate. items: description: A key-value pair that identifies or specifies metadata about an ACM resource. @@ -275,7 +214,7 @@ spec: type: object conditions: description: |- - All CRS managed by ACK have a common `Status.Conditions` member that + All CRs managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 838e202..83b299b 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.0.4". +This chart deploys "public.ecr.aws/aws-controllers-k8s/acm-controller:1.0.5". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/helm/values.yaml b/helm/values.yaml index 3aceac5..27760ac 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/acm-controller - tag: 1.0.4 + tag: 1.0.5 pullPolicy: IfNotPresent pullSecrets: [] diff --git a/pkg/resource/certificate/sdk.go b/pkg/resource/certificate/sdk.go index 0ba1f2b..6a9bcd6 100644 --- a/pkg/resource/certificate/sdk.go +++ b/pkg/resource/certificate/sdk.go @@ -499,10 +499,6 @@ func (rm *resourceManager) sdkUpdate( defer func() { exit(err) }() - if immutableFieldChanges := rm.getImmutableFieldChanges(delta); len(immutableFieldChanges) > 0 { - msg := fmt.Sprintf("Immutable Spec fields have been modified: %s", strings.Join(immutableFieldChanges, ",")) - return nil, ackerr.NewTerminalError(fmt.Errorf(msg)) - } if delta.DifferentAt("Spec.Tags") { if err := syncTags( ctx, rm.sdkapi, rm.metrics, @@ -725,30 +721,6 @@ func (rm *resourceManager) terminalAWSError(err error) bool { } } -// getImmutableFieldChanges returns list of immutable fields from the -func (rm *resourceManager) getImmutableFieldChanges( - delta *ackcompare.Delta, -) []string { - var fields []string - if delta.DifferentAt("Spec.Certificate") { - fields = append(fields, "Certificate") - } - if delta.DifferentAt("Spec.CertificateArn") { - fields = append(fields, "CertificateArn") - } - if delta.DifferentAt("Spec.CertificateAuthorityARN") { - fields = append(fields, "CertificateAuthorityARN") - } - if delta.DifferentAt("Spec.CertificateChain") { - fields = append(fields, "CertificateChain") - } - if delta.DifferentAt("Spec.PrivateKey") { - fields = append(fields, "PrivateKey") - } - - return fields -} - // newImportCertificateInput returns a ImportCertificateInput object // with each field set by the corresponding configuration's fields. func (rm *resourceManager) newImportCertificateInput(