The order of items in spec.domainValidationOptions does not match the order returned by ACM DescribeCertificate resulting in an infinite reconcile loop #2395
Description
Describe the bug
Creating a Certificate resource with spec.domainValidationOptions with multiple elements can cause an infinite reconcile loop if the order of the domainValidationOptions returned by ACM DescribeCertificate is different.
E.g. Creating this certificate
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
name: my-certificate
namespace: my-namespace
spec:
domainName: '*.my-domain'
domainValidationOptions:
- domainName: my-domain
validationDomain: my-domain
- domainName: '*.my-domain'
validationDomain: '*.my-domain'
Results in this with ACM DescribeCertificate, notice the wildcard domain is returned as the first element in the array
{
"Certificate": {
"CertificateArn": "my-certificate-arn",
"DomainName": "*.my-domain",
"SubjectAlternativeNames": [
"*.my-domain",
"my-domain"
],
"DomainValidationOptions": [
{
"DomainName": "*.my-domain",
"ValidationDomain": "*.my-domain",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "_xxx.my-domain.",
"Type": "CNAME",
"Value": "_xxx.xxx.acm-validations.aws."
},
"ValidationMethod": "DNS"
},
{
"DomainName": "my-domain",
"ValidationDomain": "my-domain",
"ValidationStatus": "SUCCESS",
"ResourceRecord": {
"Name": "_xxx.my-domain.",
"Type": "CNAME",
"Value": "_xxx.xxx.acm-validations.aws."
},
"ValidationMethod": "DNS"
}
],
...<truncated>...
}
}
The following is observed in the controller logs
{
"level": "info",
"ts": "2025-03-17T05:28:04.775Z",
"logger": "ackrt",
"msg": "desired resource state has changed",
"kind": "Certificate",
"namespace": "my-namespace",
"name": "my-certificate",
"account": "my-account",
"role": "my-role",
"region": "ap-southeast-2",
"is_adopted": false,
"generation": 1,
"diff": [
{
"Path": {
"Parts": [
"Spec",
"DomainValidationOptions"
]
},
"A": [
{
"domainName": "my-domain.com",
"validationDomain": "my-domain.com"
},
{
"domainName": "*.my-domain.com",
"validationDomain": "*.my-domain.com"
}
],
"B": [
{
"domainName": "*.my-domain.com",
"validationDomain": "*.my-domain.com"
},
{
"domainName": "my-domain.com",
"validationDomain": "my-domain.com"
}
]
}
]
}
Steps to reproduce
Create a Certificate resource with multiple spec.domainValidationOptions elements.
E.g
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
name: my-certificate
namespace: my-namespace
spec:
domainName: '*.my-domain'
domainValidationOptions:
- domainName: my-domain
validationDomain: my-domain
- domainName: '*.my-domain'
validationDomain: '*.my-domain'
Expected outcome
Resource should be updated with log message updated resource. There should not be any desired resource state has changed message when the elements are in a different order
{
"level": "info",
"ts": "2025-03-18T23:28:43.969Z",
"logger": "ackrt",
"msg": "updated resource",
"kind": "Certificate",
"namespace": "my-namespace",
"name": "my-certificate",
"account": "my-account",
"role": "my-role",
"region": "us-east-1",
"is_adopted": false,
"generation": 578
}
Environment
- Kubernetes version - 1.32
- Using EKS - yes, if so version? 1.32
- AWS service targeted (S3, RDS, etc.) ACM