Feat: Add support to export ACM certificates (#82)

Add support to export ACM certificates to Kubernetes TLS Secrets for ACM private and public certificates.

Author: alexwang0311

README.md

@@ -8,6 +8,48 @@ Kubernetes Github project.
 
 [ack-issues]: https://github.com/aws/aws-controllers-k8s/issues
 
+## Getting Started
+
+### Pricing
+The ACK service controller for AWS Certificate Manager is free of charge. If you issue an exportable public certificate with AWS Certificate Manager, there is a charge at certificate issuance and again when the certificate renews. Learn more about [AWS Certificate Manager Pricing](https://aws.amazon.com/certificate-manager/pricing/).
+
+[samples]: https://github.com/aws-controllers-k8s/acmpca-controller/tree/main/samples
+
+### Kubernetes Secrets
+The ACK service controller for AWS Certificate Manager uses Kubernetes TLS Secrets to store the certificate chain and decrypted private key of [exportable public certificates](https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html). Users are expected to create Secrets before creating Certificate resources. As these resources are created, the Secrets' `tls.crt` will be injected with the base64-encoded certificate and `tls.key` will be injected with the base64-encoded private key associated with the certificate. Users are responsible for deleting Secrets.
+
+In addition, after a certificate is successfully renewed by ACM, the ACK service controller for AWS Certificate Manager will automatically export the renewed certificate again so that the Kubernetes TLS Secret `exportTo` contains the certificate data and private key data of the renewed certificate.
+
+#### Export Certificate
+To export an ACM exportable public certificate to a Kubernetes TLS Secret, users must specify the namespace and the name of the Secret using the `exportTo` field of the Certificate resource, as shown below.
+
+```
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: exported-cert-secret
+  namespace: demo-app
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: acm.services.k8s.aws/v1alpha1
+kind: Certificate
+metadata:
+  name: exportable-public-cert
+  namespace: demo-app
+spec:
+  domainName: my.domain.com
+  options:
+    certificateTransparencyLoggingPreference: ENABLED
+  exportTo:
+    namespace: demo-app
+    name: exported-cert-secret
+    key: tls.crt
+...
+```
+
 ## Contributing
 
 We welcome community contributions and pull requests.

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2025-11-29T03:39:17Z"
-  build_hash: 23c7074fa310ad1ccb38946775397c203b49f024
-  go_version: go1.25.4
-  version: v0.56.0
-api_directory_checksum: 3e7a69c0415ed45a0a26d12bd1498f965d70c69a
+  build_date: "2025-12-01T23:41:16Z"
+  build_hash: a3d580fb0f446539bbd1f4efa5a759e59c53cbfa
+  go_version: go1.25.1
+  version: v0.56.0-1-ga3d580f
+api_directory_checksum: 5dc0b682f154f3479809e330d2760ff9575e9bea
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
 generator_config_info:
-  file_checksum: 1489a54e7f1a1b28f8b44e738c239b03b364f74a
+  file_checksum: 62b614b540cda719ee9142cbc530d180cbf2c52d
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/certificate.go

@@ -17,22 +17,16 @@ operations:
 resources:
   Certificate:
     hooks:
+      delta_pre_compare:
+        template_path: hooks/certificate/delta_pre_compare.go.tpl
       sdk_update_pre_build_request:
         template_path: hooks/certificate/sdk_update_pre_build_request.go.tpl
+      sdk_update_post_set_output:
+        template_path: hooks/certificate/sdk_update_post_set_output.go.tpl
       sdk_create_pre_build_request:
         template_path: hooks/certificate/sdk_create_pre_build_request.go.tpl
       sdk_create_post_build_request:
-        # NOTE(jaypipes): We only support DNS-based validation, because
-        # certificate renewal is not really automatable when email verification
-        # is used.
-        #
-        # See discussion here:
-        # https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html
-        #
-        # Unfortunately, because fields in the "ignore" configuration list are
-        # now deleted from the aws-sdk-go private/model/api.Shape object,
-        # setting `override_values` above does not work :(
-        code: input.ValidationMethod = "DNS"
+        template_path: hooks/certificate/sdk_create_post_build_request.go.tpl
       sdk_read_one_pre_set_output:
         template_path: hooks/certificate/sdk_read_one_pre_set_output.go.tpl
       sdk_file_end:
@@ -53,6 +47,12 @@ resources:
     reconcile:
       requeue_on_success_seconds: 60
     fields:
+      ExportTo:
+        type: "bytes"
+        is_immutable: true
+        is_secret: true
+        compare:
+          is_ignored: true
       DomainName:
         is_primary_key: false
         is_required: false

apis/v1alpha1/generator.yaml

@@ -159,6 +159,29 @@ spec:
                 x-kubernetes-validations:
                 - message: Value is immutable once set
                   rule: self == oldSelf
+              exportTo:
+                description: |-
+                  SecretKeyReference combines a k8s corev1.SecretReference with a
+                  specific key within the referred-to Secret
+                properties:
+                  key:
+                    description: Key is the key within the secret
+                    type: string
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                required:
+                - key
+                type: object
+                x-kubernetes-map-type: atomic
+                x-kubernetes-validations:
+                - message: Value is immutable once set
+                  rule: self == oldSelf
               keyAlgorithm:
                 description: |-
                   Specifies the algorithm of the public and private key pair that your certificate

apis/v1alpha1/zz_generated.deepcopy.go

@@ -2,6 +2,7 @@
     "Version": "2012-10-17",
     "Statement": [
         {
+            "Sid": "ACMPublicCertificatePermissions",
             "Effect": "Allow",
             "Action": [
                 "acm:DescribeCertificate",
@@ -11,7 +12,18 @@
                 "acm:DeleteCertificate",
                 "acm:AddTagsToCertificate",
                 "acm:RemoveTagsFromCertificate",
-                "acm:ListTagsForCertificate"
+                "acm:ListTagsForCertificate",
+                "acm:ExportCertificate"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "ACMPrivateCertificatePermissions",
+            "Effect": "Allow",
+            "Action": [
+                "acm-pca:IssueCertificate",
+                "acm-pca:GetCertificate",
+                "acm-pca:ListPermissions"
             ],
             "Resource": "*"
         }

config/crd/bases/acm.services.k8s.aws_certificates.yaml

@@ -17,22 +17,16 @@ operations:
 resources:
   Certificate:
     hooks:
+      delta_pre_compare:
+        template_path: hooks/certificate/delta_pre_compare.go.tpl
       sdk_update_pre_build_request:
         template_path: hooks/certificate/sdk_update_pre_build_request.go.tpl
+      sdk_update_post_set_output:
+        template_path: hooks/certificate/sdk_update_post_set_output.go.tpl
       sdk_create_pre_build_request:
         template_path: hooks/certificate/sdk_create_pre_build_request.go.tpl
       sdk_create_post_build_request:
-        # NOTE(jaypipes): We only support DNS-based validation, because
-        # certificate renewal is not really automatable when email verification
-        # is used.
-        #
-        # See discussion here:
-        # https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html
-        #
-        # Unfortunately, because fields in the "ignore" configuration list are
-        # now deleted from the aws-sdk-go private/model/api.Shape object,
-        # setting `override_values` above does not work :(
-        code: input.ValidationMethod = "DNS"
+        template_path: hooks/certificate/sdk_create_post_build_request.go.tpl
       sdk_read_one_pre_set_output:
         template_path: hooks/certificate/sdk_read_one_pre_set_output.go.tpl
       sdk_file_end:
@@ -53,6 +47,12 @@ resources:
     reconcile:
       requeue_on_success_seconds: 60
     fields:
+      ExportTo:
+        type: "bytes"
+        is_immutable: true
+        is_secret: true
+        compare:
+          is_ignored: true
       DomainName:
         is_primary_key: false
         is_required: false

config/iam/recommended-inline-policy

@@ -8,11 +8,12 @@ require (
 	github.com/aws-controllers-k8s/acmpca-controller v0.0.17
 	github.com/aws-controllers-k8s/runtime v0.56.0
 	github.com/aws/aws-sdk-go v1.49.6
-	github.com/aws/aws-sdk-go-v2 v1.34.0
-	github.com/aws/aws-sdk-go-v2/service/acm v1.30.14
-	github.com/aws/smithy-go v1.22.2
+	github.com/aws/aws-sdk-go-v2 v1.39.2
+	github.com/aws/aws-sdk-go-v2/service/acm v1.33.0
+	github.com/aws/smithy-go v1.23.0
 	github.com/go-logr/logr v1.4.2
 	github.com/spf13/pflag v1.0.5
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
 	k8s.io/client-go v0.32.1
@@ -23,11 +24,11 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.28.6 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.47 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect
@@ -53,7 +54,6 @@ require (
 	github.com/itchyny/gojq v0.12.6 // indirect
 	github.com/itchyny/timefmt-go v0.1.3 // indirect
 	github.com/jaypipes/envutil v1.0.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -69,6 +69,7 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect