Skip to content

feat: allow importing certificates from k8s tls secret#104

Open
mkl262 wants to merge 1 commit into
aws-controllers-k8s:mainfrom
mkl262:main
Open

feat: allow importing certificates from k8s tls secret#104
mkl262 wants to merge 1 commit into
aws-controllers-k8s:mainfrom
mkl262:main

Conversation

@mkl262

@mkl262 mkl262 commented Jul 6, 2026

Copy link
Copy Markdown

Issue #, if available:

Description of changes:
Adds importFrom to the Certificate CRD so certificates can be imported into ACM from a standard Kubernetes TLS Secret, without specifying individual secret keys.

The importFrom is mutually exclusive with certificate request fields (domainName, domainValidationOptions, etc.), exportTo, and opaque secret import fields (certificate, privateKey, certificateChain).

if tls secret tls.crt field contains multiple certificates, first certificate is handled as the certificate, and all trailing certificates are handled as CA chain.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ack-prow
ack-prow Bot requested review from a-hilaly and knottnt July 6, 2026 17:37
@ack-prow

ack-prow Bot commented Jul 6, 2026

Copy link
Copy Markdown

Hi @mkl262. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ack-prow ack-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 6, 2026
Comment thread pkg/resource/certificate/secrets.go Outdated
}
}

func apiReaderFromReconciler(rr acktypes.Reconciler) (client.Reader, error) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be an unusual pattern to rely on unsafe package to get the apiReader.
I'm not an expert on ACK repo. I'd defer the final call the ACK maintainers.

@michaelhtm michaelhtm left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @mkl262
I noticed you did not generate the controller with code-generator. https://aws-controllers-k8s.github.io/docs/contributing/

I mainly see that you made manual changes.

Add support to importing ACM certificates from Kubernetes TLS secrets, which can include certificate chains
@ack-prow

ack-prow Bot commented Jul 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mkl262
Once this PR has been reviewed and has the lgtm label, please ask for approval from michaelhtm. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mkl262

mkl262 commented Jul 16, 2026

Copy link
Copy Markdown
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants