Fix export if Options is not set and update README (#83)

alexwang0311 · web-flow · commit 85fc5f0685f1 · 2025-12-02T18:15:55.000Z
Fix export if `Options` is `nil` (`options` field not set on the `certificate` resource) and update `README`
diff --git a/README.md b/README.md
@@ -11,18 +11,19 @@ Kubernetes Github project.
 ## Getting Started
 
 ### Pricing
-The ACK service controller for AWS Certificate Manager is free of charge. If you issue an exportable public certificate with AWS Certificate Manager, there is a charge at certificate issuance and again when the certificate renews. Learn more about [AWS Certificate Manager Pricing](https://aws.amazon.com/certificate-manager/pricing/).
+The ACK service controller for AWS Certificate Manager is free of charge. If you issue an [exportable public certificate](https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html) with AWS Certificate Manager, there is a charge at certificate issuance and again when the certificate renews. Learn more about [AWS Certificate Manager Pricing](https://aws.amazon.com/certificate-manager/pricing/).
 
 [samples]: https://github.com/aws-controllers-k8s/acmpca-controller/tree/main/samples
 
 ### Kubernetes Secrets
-The ACK service controller for AWS Certificate Manager uses Kubernetes TLS Secrets to store the certificate chain and decrypted private key of [exportable public certificates](https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html). Users are expected to create Secrets before creating Certificate resources. As these resources are created, the Secrets' `tls.crt` will be injected with the base64-encoded certificate and `tls.key` will be injected with the base64-encoded private key associated with the certificate. Users are responsible for deleting Secrets.
+The ACK service controller for AWS Certificate Manager uses Kubernetes TLS Secrets to store the certificate chain and decrypted private key of the exported ACM certificate. Users are expected to create Secrets before creating Certificate resources. As these resources are created, the Secrets' `tls.crt` will be injected with the base64-encoded certificate and `tls.key` will be injected with the base64-encoded private key associated with the certificate. Users are responsible for deleting Secrets.
 
 In addition, after a certificate is successfully renewed by ACM, the ACK service controller for AWS Certificate Manager will automatically export the renewed certificate again so that the Kubernetes TLS Secret `exportTo` contains the certificate data and private key data of the renewed certificate.
 
 #### Export Certificate
-To export an ACM exportable public certificate to a Kubernetes TLS Secret, users must specify the namespace and the name of the Secret using the `exportTo` field of the Certificate resource, as shown below.
+To export an ACM certificate to a Kubernetes TLS Secret, users must specify the namespace and the name of the Secret using the `exportTo` field of the Certificate resource, as shown below.
 
+##### Exporting an exportable ACM public certificate
 ```
 apiVersion: v1
 kind: Secret
@@ -50,6 +51,34 @@ spec:
 ...
 ```
 
+##### Exporting an ACM private certificate
+```
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: exported-cert-secret
+  namespace: demo-app-2
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: acm.services.k8s.aws/v1alpha1
+kind: Certificate
+metadata:
+  name: exportable-private-cert
+  namespace: demo-app-2
+spec:
+  domainName: my.domain.com
+  certificateAuthorityARN: arn:aws:acm-pca:{$REGION}:{$AWS_ACCOUNT}:certificate-authority/12345678-1234-1234-1234-123456789012
+  keyAlgorithm: EC_secp384r1
+  exportTo:
+    namespace: demo-app-2
+    name: exported-cert-secret
+    key: tls.crt
+```
+If you are issuing a privately trusted certificate, please also consider using this cert-manager plugin: https://github.com/cert-manager/aws-privateca-issuer/.
+
 ## Contributing
 
 We welcome community contributions and pull requests.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2025-12-01T23:41:16Z"
-  build_hash: a3d580fb0f446539bbd1f4efa5a759e59c53cbfa
+  build_date: "2025-12-02T17:33:45Z"
+  build_hash: 06bffb95177cf873ee1b1a1c6f93cb30380c1e36
   go_version: go1.25.1
-  version: v0.56.0-1-ga3d580f
+  version: v0.56.0-2-g06bffb9
 api_directory_checksum: 5dc0b682f154f3479809e330d2760ff9575e9bea
 api_version: v1alpha1
 aws_sdk_go_version: v1.32.6
diff --git a/pkg/resource/certificate/sdk.go b/pkg/resource/certificate/sdk.go
diff --git a/templates/hooks/certificate/sdk_create_post_build_request.go.tpl b/templates/hooks/certificate/sdk_create_post_build_request.go.tpl
@@ -13,9 +13,8 @@ input.ValidationMethod = "DNS"
 
 // NOTE: exportPreference can ONLY be set for public certificates
 if desired.ko.Spec.ExportTo != nil && desired.ko.Spec.CertificateAuthorityARN == nil && desired.ko.Spec.CertificateAuthorityRef == nil {
-    options := input.Options
-    if options == nil {
-        options = &svcsdktypes.CertificateOptions{}
+    if input.Options == nil {
+        input.Options = &svcsdktypes.CertificateOptions{}
     }
-    options.Export = "ENABLED"
+    input.Options.Export = "ENABLED"
 }

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,8 @@ input.ValidationMethod = "DNS"`
`13`	`13`
`14`	`14`	`// NOTE: exportPreference can ONLY be set for public certificates`
`15`	`15`	`if desired.ko.Spec.ExportTo != nil && desired.ko.Spec.CertificateAuthorityARN == nil && desired.ko.Spec.CertificateAuthorityRef == nil {`
`16`		`- options := input.Options`
`17`		`- if options == nil {`
`18`		`- options = &svcsdktypes.CertificateOptions{}`
	`16`	`+ if input.Options == nil {`
	`17`	`+ input.Options = &svcsdktypes.CertificateOptions{}`
`19`	`18`	`}`
`20`		`- options.Export = "ENABLED"`
	`19`	`+ input.Options.Export = "ENABLED"`
`21`	`20`	`}`