Export ACM certificate to tls secret in ReadOnly mode

[jhcolville]

Describe the bug

We manage the lifecycle of our ACM certificates outside of k8s/ACK.

We're trying to use the ReadOnly feature gate that the acm-chart supports to adopt an existing ACM certificate and then also use the exportTo: functionality illustrated here to output the certificate to a k8s tls secret.

Based on various suggestions in issues found here we've tried combinations of the read-only and adoption-fields / adoption-policy to try and achieve this however the most consistent error we see is "resource not found".

Does the ACM controller support read-only / adopted resources?

If so, can it export to a k8s tls secret for both the tls.crt and tls.key fields?

If not is there any indication as to when this kind of feature may exist?

Thanks in advance!

Steps to reproduce

• deploy acm-controller from helm chart 1.3.2

• deploy Certificate CR similar to:

apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: nginx-ingress-tls-secret
  namespace: cluster-ingress
  annotations:
    services.k8s.aws/read-only: "true"
spec:
  domainName: my.domain
  exportTo:
    namespace: cluster-ingress
    name: nginx-ingress-tls-secret
    key: tls.crt

• errors result:

ERROR   Reconciler error        {"controller": "certificate", "controllerGroup": "acm.services.k8s.aws", "controllerKind": "Certificate", "Certificate": {"name":"nginx-ingress-tls-secret","namespace":"cluster-ingress"}, "namespace": "cluster-ingress", "name": "nginx-ingress-tls-secret", "reconcileID": "fcad16e9-41f1-4540-ab39-1f1967b339fc", "error": "read-only resource not found"}

Expected outcome

Existing ACM certificate is located and exported to target kubernetes.io/tls secret.

Environment

• acm-controller 1.3.2
• k8s/eks v1.33.5-eks-3025e55
• attempting to export from existing ACM certicificate to kubernetes tls secret.

[github-actions]

Hello @jhcolville 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[knottnt]

@jhcolville Yes, the acm-controller supports the read-only and adoption feature gates. To adopt an ACM certificate you'll need to provide the ARN of the certificate in the adoption fields as shown below.

apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: example-certificate
  namespace: default
  annotations:
    services.k8s.aws/read-only: "true"
    services.k8s.aws/adoption-policy: "adopt"
    services.k8s.aws/adoption-fields: |
      {"arn": "arn:aws:acm:<region>:<accountid>:certificate/<cert-id>"}
spec:

Unfortunately, it doesn't look like the exportTo functionality currently supports read-only as the export happens in the update path.

[jhcolville]

Hey @knottnt thanks very much for your time to reply and providing an example, I'd used the wrong key "certificateARN" in the adoption fields.

What's the likelihood of export to kubernetes.io/tls type secret in read-only mode becoming possible in the next 6-12 months for this controller? It would be a super useful feature for us. I'd also consider managing the certificate in read-write mode from this controller except we'll need to handle association with load balancers (which I understand aws-load-balancer-controller can also do, though there may be some challenges with disassociation/cleanup) but we're really geared for managing the AWS-side of resources outside of k8s for now.

Outside of this issue is there somewhere more appropriate to vote / propose support for such functionality?

Thanks again,