ACM service controller

[mdykes-gw]

New ACK Service Controller

Support for ACM

List of API resources

List the API resources in order of importance to you:

1) Certificate

[tavlima]

@tavlima I can work on an ImportCertificate workflow for ACM, sure. Unfortunately I won't be able to get to this for probably another couple weeks, though.

@tavlima , Wondering if you have any updates on the ImportCertificate workflow? TIA

@mahadh02 it was me who was working on this :) And I have not had the time or resources to get to it unfortunately. I may have some time towards the end of May to tackle this, however.

Hey, @jaypipes. Happy new year. 😄 Any updates on this?

Hey, @a-hilaly, do you happen to have any updates on this? Should I create another issue, for better tracking?

[gregsidelinger]

I did some playing around with the controller today and it is looking nice so far. I have a couple of questions/feature requests.

• Can the cert status be shown with a simple kubect get certificates.acm.services.k8s.aws. A simple Ready or Issuing status would be nice to avoid having to look at the full status.
• Should the domainName and subjectAlternativeNames be editable? Right now changing them does nothing to pending or ready certs. I see logs they say it is different but no new cert is created in ACM. Was wondering what the desired behavior is suppose to be if those fields are designed to changeable.

[is-it-ayush]

Our use case is to import certs, issued by cert-manager, to ACM. It would be great if the operator can do this.

@akamac ACM certs are free, why not issue new ones instead?

Because AWS no longer issues certificates for ru zone, while Let's Encrypt does.

Been stuck with exactly this! My setup is non-EKS kubeadm cluster running on EC2 with aws-load-balancer-controller, cert-manager and LetsEncrypt CA. I hope the ACM controller or Load Balancer controller supports,

• Automatically uploading and deleting LetsEncrypt issued certificates to the ACM such that ALB can auto-discover them based on host name in TLS spec.
• Can annotate the certificate CRN in NLB such that NLB can work with TLS.

Without either, TLS on Load Balancer's is pretty much impossible to automate on non-EKS (tested) or even EKS clusters (untested). I wrote an issue here that condenses the problems I encountered on non-EKS cluster with aws-load-balancer-controller and this is one of them.

[radupopa369]

This is frustrating to learn that such an important feature is not automated today, almost 5 years later

[a-hilaly]

Folks we have a PR open to support importing certificates https://github.com/aws-controllers-k8s/acm-controller/pull/40#issuecomment-2243449643 - please feel free to review and drop comments on how it will be implemented

[cPu1]

Folks we have a PR open to support importing certificates aws-controllers-k8s/acm-controller#40 (comment) - please feel free to review and drop comments on how it will be implemented

An example spec can be found in the PR: https://github.com/aws-controllers-k8s/acm-controller/blob/a386d8f3e6bdf9ab717d65ee66ddb0a9761cda4a/test/e2e/resources/certificate_imported.yaml. Both privateKey and certificate are references to secrets. Currently, you cannot reference a Kubernetes secret of type kubernetes.io/tls because of a limitation in code-generator, so an Opaque secret will need to be used.

apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: $CERTIFICATE_NAME
spec:
  privateKey:
    name: $SECRET_NAME
    key: tls.key
  certificate:
    name: $SECRET_NAME
    key: tls.crt
  tags:
    - key: environment
      value: dev
    - key: imported
      value: "true"

[cPu1]

/assign @cPu1