Skip to content

Feat: Add support to export ACM certificates #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ack-prow merged 36 commits into from
Dec 1, 2025
Merged

Feat: Add support to export ACM certificates #82

ack-prow merged 36 commits into from
Dec 1, 2025

Conversation

@alexwang0311
Copy link
Contributor

@alexwang0311 alexwang0311 commented Nov 30, 2025

Add support to export ACM certificates to Kubernetes TLS Secrets for ACM private and public certificates.

@alexwang0311
feat: Add support to export ACM public exportable certificate to a Ku…
cc96c7f 
…bernetes secret
@alexwang0311
Update tag
245eb55
@alexwang0311
Remove examples
f77bcea
@alexwang0311
Update README and use tls.crt instead of key
239cb24
@alexwang0311
Use delta_pre_compare hook to export cert
6b4aa6a
@alexwang0311
Update IAM policy to include ExportCertificate
88c2e56
@alexwang0311
Only set exportPreference for public certificates
0188425
@alexwang0311
Remove delta_pre_compare and update export to also support private ce…
048b8f2 
…rtificate
@alexwang0311
Re-generated files
7110954
@alexwang0311
Removed sample file
61b55b9
@alexwang0311
Update recommended IAM permissions to include private certificates
c242720
@alexwang0311
Fix typo
465d0f7
@alexwang0311
Merged upstream
8f7efb8
@alexwang0311
Re-generated files
773dc95
@alexwang0311
Use delta_pre_compare hook
d5edc67
@alexwang0311
Fix update logic
f831c2c
@alexwang0311
Fix IssuedAt update logic
25aaecc
@alexwang0311
Update compareIssuedAt logic
ad92aa5
@alexwang0311
Add NOTEs
92c1be8
@alexwang0311
Merge branch 'main' into main
c3ff541
@alexwang0311
Re-generated files
5e0cf6e
@alexwang0311
Use Serial to detect renewal in delta comparison
688926f
@alexwang0311
Fix name and update logic
21c68d6
@alexwang0311
Fix update logic
ea00555
@alexwang0311
Fix update logic
de56d78
@alexwang0311
Only create IssuedAt delta for exported certs
572c6ba
@alexwang0311
Generate random passphrase
dd279d4
@alexwang0311
Merge main
2bed52d
@alexwang0311
Re-generated files
4f831a6
@ack-prow ack-prow bot requested a review from knottnt November 30, 2025 00:41
@ack-prow ack-prow bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Nov 30, 2025
@ack-prow
Copy link

ack-prow bot commented Nov 30, 2025

Hi @alexwang0311. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@alexwang0311 alexwang0311 marked this pull request as draft November 30, 2025 01:31
@ack-prow ack-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 30, 2025
@alexwang0311 alexwang0311 marked this pull request as ready for review November 30, 2025 01:31
@ack-prow ack-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 30, 2025
@ack-prow ack-prow bot requested review from a-hilaly and rushmash91 November 30, 2025 01:31
@michaelhtm
Copy link
Member

michaelhtm commented Dec 1, 2025

/ok-to-test

@ack-prow ack-prow bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 1, 2025
michaelhtm
michaelhtm reviewed Dec 1, 2025
View reviewed changes
Copy link
Member

@michaelhtm michaelhtm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @alexwang0311
left a few comments below

@ack-prow
Copy link

ack-prow bot commented Dec 1, 2025

@alexwang0311: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
acm-verify-attribution 4d15d96 link false /test acm-verify-attribution
acm-verify-code-gen 4d15d96 link false /test acm-verify-code-gen

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

michaelhtm
michaelhtm approved these changes Dec 1, 2025
View reviewed changes
Copy link
Member

@michaelhtm michaelhtm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again @alexwang0311
/lgtm

@ack-prow ack-prow bot added the lgtm Indicates that a PR is ready to be merged. label Dec 1, 2025
@ack-prow
Copy link

ack-prow bot commented Dec 1, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexwang0311, michaelhtm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ack-prow ack-prow bot added the approved label Dec 1, 2025
@ack-prow ack-prow bot merged commit 22a7f2b into aws-controllers-k8s:main Dec 1, 2025
6 of 8 checks passed
divyansh-gupta
divyansh-gupta reviewed Dec 2, 2025
View reviewed changes
config/iam/recommended-inline-policy
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:ListPermissions"
Copy link

@divyansh-gupta divyansh-gupta Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is ListPermissions needed?

Copy link
Contributor Author

@alexwang0311 alexwang0311 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://awscli.amazonaws.com/v2/documentation/api/2.1.30/reference/acm-pca/list-permissions.html

Permissions designate which private CA actions can be performed by an AWS service or entity. In order for ACM to automatically renew private certificates, you must give the ACM service principal all available permissions (IssueCertificate , GetCertificate , and ListPermissions ). Permissions can be assigned with the CreatePermission action, removed with the DeletePermission action, and listed with the ListPermissions action.

divyansh-gupta
divyansh-gupta reviewed Dec 2, 2025
View reviewed changes
helm/values.schema.json
"type": "string"
},
"endpoint": {
"endpoint_url": {
Copy link

@divyansh-gupta divyansh-gupta Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why we added allow_unsafe_aws_endpoint_urls? What does this do?

Copy link
Contributor Author

@alexwang0311 alexwang0311 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was something added by the latest commit from the code generator repo

divyansh-gupta
divyansh-gupta reviewed Dec 2, 2025
View reviewed changes
pkg/resource/certificate/hooks.go
func generateRandomString(length int) (string, error) {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|;:,.<>?"
b := make([]byte, length)
if _, err := io.ReadFull(rand.Reader, b); err != nil {
Copy link

@divyansh-gupta divyansh-gupta Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on using crypto/rand.Int()? Something like:

num, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))

divyansh-gupta
divyansh-gupta reviewed Dec 2, 2025
View reviewed changes
pkg/resource/certificate/hooks.go
return nil, errors.New("failed to decrypt PEM block")
}

// NOTE: Algorithms supported for an ACM certificate request include: RSA_2048, EC_prime256v1, EC_secp384r1
Copy link

@divyansh-gupta divyansh-gupta Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there plans to add more algorithms? If so, how do we keep this up to date?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelhtm michaelhtm michaelhtm approved these changes

@knottnt knottnt Awaiting requested review from knottnt

@a-hilaly a-hilaly Awaiting requested review from a-hilaly

@rushmash91 rushmash91 Awaiting requested review from rushmash91

+1 more reviewer

@divyansh-gupta divyansh-gupta divyansh-gupta left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@michaelhtm michaelhtm

Labels

approved lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexwang0311 @michaelhtm @divyansh-gupta