ACK ACM controller keeps failing to re-import deleted ACM certificate due to forbidden spec fields being auto-added #2611
Description
When an ACM certificate that was previously imported is deleted directly in the AWS Console, the ACK ACM controller (v1.1.0) detects the existing Kubernetes ACM resource (status shows type_: IMPORTED) and attempts to reconcile/re-import it. However, the controller mutates the manifest by adding request-only fields:
spec.domainValidationOptions.domainName
spec.keyAlgorithm
spec.options.certificateTransparencyLoggingPreference
spec.subjectAlternativeNames It then loops and fails with the error: cannot set fields used for requesting a certificate when importing a certificate
Steps to reproduce
Deploy ack-acm-controller v1.1.0 with a Certificate CR representing an imported certificate (i.e., created via import, not request).
Ensure the Certificate resource in Kubernetes shows status type_: IMPORTED.
Delete the corresponding certificate in the AWS ACM console (same region as controller).
Observe the controller reconciliation loop logs: it adds the above spec fields and fails repeatedly with the error message: cannot set fields used for requesting a certificate when importing a certificate.
Expected outcome The controller should:
Re-import (recreate) the ACM certificate using the existing import-related metadata (or surface a clear terminal condition requesting user action), OR
Leave the spec untouched (not inject request-only fields) so that a clean import can proceed after the user supplies the required PEM material if necessary.
Environment
Kubernetes version: 1.33
EKS: yes
ACK ACM controller version: v1.1.0
AWS service targeted: ACM (AWS Certificate Manager)
Region used by controller: us-east-1
Additional context:
Environment variables set on controller include: RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS=1, RECONCILE_DEFAULT_RESYNC_PERIOD=1m, ACK_LOG_LEVEL=DEBUG, FEATURE_GATES=ResourceAdoption=false,ReadOnlyResources=false.
The certificate was originally imported (not requested) so request-only fields should not be enforced.
Looping behavior increases log noise and prevents automatic recovery.
Proposed fix (suggestion) Skip mutation of request-only fields (domainValidationOptions, keyAlgorithm, options.certificateTransparencyLoggingPreference, subjectAlternativeNames) when status indicates an imported certificate (type_: IMPORTED) and the backend ACM certificate no longer exists. Instead, either:
Support re-import automatically if import data (certificate + private key + chain) is still available in the Kubernetes secret referenced by the CR.
Let me know if you’d like me to add logs (with redactions) or run a debug build.