spec.keyAlgorithm mismatch with ACM DescribeCertificate causes infinite reconcile loopΒ #2394
Description
Describe the bug
Creating a Certificate resource with spec.keyAlgorithm requires the algorithm name separated by underscores. E.g RSA_2048.
This does not match the value returned by ACM DescribeCertificate which is separated by dashes. E.g RSA-2048.
This causes the ACM ACK controller to infinitely reconcile the resource.
The following is observed in the controller logs:
{
"level": "info",
"ts": "2025-03-17T05:29:07.108Z",
"logger": "ackrt",
"msg": "desired resource state has changed",
"kind": "Certificate",
"namespace": "my-namespace",
"name": "my-certificate",
"account": "my-account",
"role": "my-role",
"region": "us-east-1",
"is_adopted": false,
"generation": 2,
"diff": [
{
"Path": {
"Parts": [
"Spec",
"KeyAlgorithm"
]
},
"A": "RSA-2048",
"B": "RSA_2048"
}
]
}
{
"level": "info",
"ts": "2025-03-17T05:28:52.386Z",
"logger": "ackrt",
"msg": "desired resource state has changed",
"kind": "Certificate",
"namespace": "my-namespace",
"name": "my-certificate",
"account": "my-account",
"role": "my-role",
"region": "us-east-1",
"is_adopted": false,
"generation": 3,
"diff": [
{
"Path": {
"Parts": [
"Spec",
"KeyAlgorithm"
]
},
"A": "RSA_2048",
"B": "RSA-2048"
}
]
}
Steps to reproduce
Create a Certificate resource with spec.keyAlgorithm set to RSA_2048
Expected outcome
Resource should be updated with log message updated resource. There should not be any desired resource state has changed message with a diff for keyAlgorithm
{
"level": "info",
"ts": "2025-03-18T23:28:43.969Z",
"logger": "ackrt",
"msg": "updated resource",
"kind": "Certificate",
"namespace": "my-namespace",
"name": "my-certificate",
"account": "my-account",
"role": "my-role",
"region": "us-east-1",
"is_adopted": false,
"generation": 578
}
Environment
- Kubernetes version - 1.32
- Using EKS - yes, if so version? 1.32
- AWS service targeted (S3, RDS, etc.) ACM