Skip to content

Commit

Permalink
Update to ACK runtime v0.39.0, code-generator v0.39.1 (#71)
Browse files Browse the repository at this point in the history 
### Update to ACK runtime `v0.39.0`, code-generator `v0.39.1`

----------

* ACK code-generator `v0.39.1` [release notes](https://github.com/aws-controllers-k8s/code-generator/releases/tag/v0.39.1)
* ACK runtime `v0.39.0` [release notes](https://github.com/aws-controllers-k8s/runtime/releases/tag/v0.39.0)

----------

NOTE:
This PR increments the release version of service controller from `v0.0.19` to `v0.0.20`

Once this PR is merged, release `v0.0.20` will be automatically created for `acmpca-controller`

**Please close this PR, if you do not want the new patch release for `acmpca-controller`**

----------

#### stdout for `make build-controller`:

```
building ack-generate ... ok.
==== building acmpca-controller ====
Copying common custom resource definitions into acmpca
Building Kubernetes API objects for acmpca
Generating deepcopy code for acmpca
Generating custom resource definitions for acmpca
Building service controller for acmpca
Generating RBAC manifests for acmpca
Running gofmt against generated code for acmpca
Updating additional GitHub repository maintenance files
==== building acmpca-controller release artifacts ====
Building release artifacts for acmpca-v0.0.20
Generating common custom resource definitions
Generating custom resource definitions for acmpca
Generating RBAC manifests for acmpca
```

----------

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
  • Loading branch information
@ack-bot
ack-bot authored Oct 10, 2024
1 parent f4b23b1 commit 764826d
Show file tree
Hide file tree
Showing 20 changed files with 140 additions and 356 deletions.
10 changes: 5 additions & 5 deletions apis/v1alpha1/ack-generate-metadata.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
ack_generate_info:
build_date: "2024-09-05T13:35:46Z"
build_hash: f8f98563404066ac3340db0a049d2e530e5c51cc
go_version: go1.22.5
version: v0.38.1
api_directory_checksum: bd1c805e13428d024256fc04295c87e9bee1524c
build_date: "2024-10-10T04:04:00Z"
build_hash: 36c2d234498c2bc4f60773ab8df632af4067f43b
go_version: go1.23.2
version: v0.39.1
api_directory_checksum: 2a5ffd53d814dd7186cef799fb8fb320d6bf6866
api_version: v1alpha1
aws_sdk_go_version: v1.49.6
generator_config_info:
Expand Down
2 changes: 1 addition & 1 deletion config/controller/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ kind: Kustomization
images:
- name: controller
newName: public.ecr.aws/aws-controllers-k8s/acmpca-controller
newTag: 0.0.19
newTag: 0.0.20
32 changes: 2 additions & 30 deletions config/crd/bases/acmpca.services.k8s.aws_certificateauthorities.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.2
name: certificateauthorities.acmpca.services.k8s.aws
spec:
group: acmpca.services.k8s.aws
Expand Down Expand Up @@ -41,7 +41,6 @@ spec:
description: |-
CertificateAuthoritySpec defines the desired state of CertificateAuthority.
Contains information about your private certificate authority (CA). Your
private CA can issue and revoke X.509 digital certificates. Digital certificates
verify that the entity named in the certificate Subject field owns or controls
Expand Down Expand Up @@ -255,17 +254,14 @@ spec:
Specifies a cryptographic key management compliance standard used for handling
CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Some Amazon Web Services Regions do not support the default. When creating
a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the
argument for KeyStorageSecurityStandard. Failure to do this results in an
InvalidArgsException with the message, "A certificate authority cannot be
created in this region with the specified security standard."
For information about security standard support in various Regions, see Storage
and security compliance of Amazon Web Services Private CA private keys (https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).
type: string
Expand All @@ -276,28 +272,22 @@ spec:
to enable neither. The default is for both certificate validation mechanisms
to be disabled.
The following requirements apply to revocation configurations.
* A configuration disabling CRLs or OCSP must contain only the Enabled=False
parameter, and will fail if other parameters such as CustomCname or ExpirationInDays
are included.
* In a CRL configuration, the S3BucketName parameter must conform to Amazon
S3 bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
* A configuration containing a custom Canonical Name (CNAME) parameter
for CRLs or OCSP must conform to RFC2396 (https://www.ietf.org/rfc/rfc2396.txt)
restrictions on the use of special characters in a CNAME.
* In a CRL or OCSP configuration, the value of a CNAME parameter must
not include a protocol prefix such as "http://" or "https://".
For more information, see the OcspConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html)
and CrlConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html)
types.
Expand All @@ -314,70 +304,54 @@ spec:
Points extension of each certificate it issues. Your S3 bucket policy must
give write permission to Amazon Web Services Private CA.
Amazon Web Services Private CA assets that are stored in Amazon S3 can be
protected with encryption. For more information, see Encrypting Your CRLs
(https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption).
Your private CA uses the value in the ExpirationInDays parameter to calculate
the nextUpdate field in the CRL. The CRL is refreshed prior to a certificate's
expiration date or when a certificate is revoked. When a certificate is revoked,
it appears in the CRL until the certificate expires, and then in one additional
CRL after expiration, and it always appears in the audit report.
A CRL is typically updated approximately 30 minutes after a certificate is
revoked. If for any reason a CRL update fails, Amazon Web Services Private
CA makes further attempts every 15 minutes.
CRLs contain the following fields:
* Version: The current version number defined in RFC 5280 is V2. The integer
value is 0x1.
* Signature Algorithm: The name of the algorithm used to sign the CRL.
* Issuer: The X.500 distinguished name of your private CA that issued
the CRL.
* Last Update: The issue date and time of this CRL.
* Next Update: The day and time by which the next CRL will be issued.
* Revoked Certificates: List of revoked certificates. Each list item contains
the following information. Serial Number: The serial number, in hexadecimal
format, of the revoked certificate. Revocation Date: Date and time the
certificate was revoked. CRL Entry Extensions: Optional extensions for
the CRL entry. X509v3 CRL Reason Code: Reason the certificate was revoked.
* CRL Extensions: Optional extensions for the CRL. X509v3 Authority Key
Identifier: Identifies the public key associated with the private key
used to sign the certificate. X509v3 CRL Number:: Decimal sequence number
for the CRL.
* Signature Algorithm: Algorithm used by your private CA to sign the CRL.
* Signature Value: Signature computed over the CRL.
Certificate revocation lists created by Amazon Web Services Private CA are
DER-encoded. You can use the following OpenSSL command to list a CRL.
openssl crl -inform DER -text -in crl_path -noout
For more information, see Planning a certificate revocation list (CRL) (https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html)
in the Amazon Web Services Private Certificate Authority User Guide
properties:
Expand All @@ -398,7 +372,6 @@ spec:
Contains information to enable and configure Online Certificate Status Protocol
(OCSP) for validating certificate revocation status.
When you revoke a certificate, OCSP responses may take up to 60 minutes to
reflect the new status.
properties:
Expand Down Expand Up @@ -438,11 +411,11 @@ spec:
omit revocation because they expire quickly. Short-lived certificate validity
is limited to seven days.
The default value is GENERAL_PURPOSE.
type: string
required:
- certificateAuthorityConfiguration
- type
type: object
status:
description: CertificateAuthorityStatus defines the observed state of
Expand All @@ -462,7 +435,6 @@ spec:
when it has verified that an "adopted" resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR's Spec field values.
TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse
https://github.com/aws/aws-controllers-k8s/issues/270
type: string
ownerAccountID:
Expand Down
6 changes: 2 additions & 4 deletions config/crd/bases/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.2
name: certificateauthorityactivations.acmpca.services.k8s.aws
spec:
group: acmpca.services.k8s.aws
Expand Down Expand Up @@ -67,13 +67,12 @@ spec:
(https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).
This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
type: string
certificateAuthorityRef:
description: "AWSResourceReferenceWrapper provides a wrapper around
*AWSResourceReference\ntype to provide more user friendly syntax
for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t
for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
\ name: my-api"
properties:
from:
Expand Down Expand Up @@ -150,7 +149,6 @@ spec:
when it has verified that an "adopted" resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR's Spec field values.
TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse
https://github.com/aws/aws-controllers-k8s/issues/270
type: string
ownerAccountID:
Expand Down
20 changes: 3 additions & 17 deletions config/crd/bases/acmpca.services.k8s.aws_certificates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.2
name: certificates.acmpca.services.k8s.aws
spec:
group: acmpca.services.k8s.aws
Expand Down Expand Up @@ -46,7 +46,6 @@ spec:
or else this parameter is ignored. For more information about using these
templates, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).
If conflicting or duplicate certificate information is supplied during certificate
issuance, Amazon Web Services Private CA applies order of operation rules
(https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations)
Expand Down Expand Up @@ -88,7 +87,6 @@ spec:
description: |-
Specifies the X.509 extension information for a certificate.
Extensions present in CustomExtensions follow the ApiPassthrough template
rules (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations).
properties:
Expand Down Expand Up @@ -283,13 +281,12 @@ spec:
(https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).
This must be of the form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
type: string
certificateAuthorityRef:
description: "AWSResourceReferenceWrapper provides a wrapper around
*AWSResourceReference\ntype to provide more user friendly syntax
for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t
for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
\ name: my-api"
properties:
from:
Expand Down Expand Up @@ -328,7 +325,7 @@ spec:
certificateSigningRequestRef:
description: "AWSResourceReferenceWrapper provides a wrapper around
*AWSResourceReference\ntype to provide more user friendly syntax
for references using 'from' field\nEx:\nAPIIDRef:\n\n\n\tfrom:\n\t
for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
\ name: my-api"
properties:
from:
Expand All @@ -347,11 +344,9 @@ spec:
The name of the algorithm that will be used to sign the certificate to be
issued.
This parameter should not be confused with the SigningAlgorithm parameter
used to sign a CSR in the CreateCertificateAuthority action.
The specified signing algorithm family (RSA or ECDSA) must match the algorithm
family of the CA's secret key.
type: string
Expand All @@ -363,11 +358,9 @@ spec:
choose the shortest path length that meets your needs. The path length is
indicated by the PathLenN portion of the ARN, where N is the CA depth (https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth).
Note: The CA depth configured on a subordinate CA certificate must not exceed
the limit set by its parents in the CA hierarchy.
For a list of TemplateArn values supported by Amazon Web Services Private
CA, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).
type: string
Expand All @@ -376,19 +369,16 @@ spec:
Information describing the end of the validity period of the certificate.
This parameter sets the “Not After” date for the certificate.
Certificate validity is the period of time during which a certificate is
valid. Validity can be expressed as an explicit date and time when the certificate
expires, or as a span of time after issuance, stated in days, months, or
years. For more information, see Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
in RFC 5280.
This value is unaffected when ValidityNotBefore is also specified. For example,
if Validity is set to 20 days in the future, the certificate will expire
20 days from issuance time regardless of the ValidityNotBefore value.
The end of the validity period configured on a certificate must not exceed
the limit set on its parents in the CA hierarchy.
properties:
Expand All @@ -403,16 +393,13 @@ spec:
Information describing the start of the validity period of the certificate.
This parameter sets the “Not Before" date for the certificate.
By default, when issuing a certificate, Amazon Web Services Private CA sets
the "Not Before" date to the issuance time minus 60 minutes. This compensates
for clock inconsistencies across computer systems. The ValidityNotBefore
parameter can be used to customize the “Not Before” value.
Unlike the Validity parameter, the ValidityNotBefore parameter is optional.
The ValidityNotBefore value is expressed as an explicit date and time, using
the Validity type value ABSOLUTE. For more information, see Validity (https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html)
in this API reference and Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)
Expand Down Expand Up @@ -445,7 +432,6 @@ spec:
when it has verified that an "adopted" resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR's Spec field values.
TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse
https://github.com/aws/aws-controllers-k8s/issues/270
type: string
ownerAccountID:
Expand Down
7 changes: 1 addition & 6 deletions config/crd/common/bases/services.k8s.aws_adoptedresources.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.2
name: adoptedresources.services.k8s.aws
spec:
group: services.k8s.aws
Expand Down Expand Up @@ -78,11 +78,9 @@ spec:
automatically converts this to an arbitrary string-string map.
https://github.com/kubernetes-sigs/controller-tools/issues/385
Active discussion about inclusion of this field in the spec is happening in this PR:
https://github.com/kubernetes-sigs/controller-tools/pull/395
Until this is allowed, or if it never is, we will produce a subset of the object meta
that contains only the fields which the user is allowed to modify in the metadata.
properties:
Expand All @@ -105,13 +103,11 @@ spec:
and may be truncated by the length of the suffix required to make the value
unique on the server.
If this field is specified and the generated name exists, the server will
NOT return a 409 - instead, it will either return 201 Created or 500 with Reason
ServerTimeout indicating a unique name could not be found in the time allotted, and the client
should retry (optionally after the time indicated in the Retry-After header).
Applied only if Name is not specified.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
type: string
Expand Down Expand Up @@ -140,7 +136,6 @@ spec:
Not all objects are required to be scoped to a namespace - the value of this field for
those objects will be empty.
Must be a DNS_LABEL.
Cannot be updated.
More info: http://kubernetes.io/docs/user-guide/namespaces
Expand Down
2 changes: 1 addition & 1 deletion config/crd/common/bases/services.k8s.aws_fieldexports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.16.2
name: fieldexports.services.k8s.aws
spec:
group: services.k8s.aws
Expand Down
Loading

0 comments on commit 764826d

Please sign in to comment.