Skip to content

[ACM] Certificate import should take kubernetes.io/tls secrets #2721

New issue
New issue
Open
Open
[ACM] Certificate import should take kubernetes.io/tls secrets#2721
Labels
kind/enhancementCategorizes issue or PR as related to existing feature enhancements.service/acmIndicates issues or PRs that are related to acm-controller.
@starlightromero

Description

@starlightromero
starlightromero
opened on Dec 11, 2025

Describe the bug
ACM Certificates can only be imported from Kubernetes secrets of type opaque. However, when using cert-manager with AWSPCAIssuer, secrets of type kubernetes.io/tls are created. These PCA certificates can not be imported into ACM due to the secret type.

Steps to reproduce

  • Create a Kubernetes secrets of type kubernetes.io/tls (either via cert-manager or manually)
  • Import Certificate into ACM
apiVersion: acm.services.k8s.aws/v1alpha1
kind: Certificate
metadata:
  name: example
  namespace: example
spec:
  certificate:
    key: tls.key
    name: example
    namespace: example
  privateKey:
    key: tls.crt
    name: example
    namespace: example

Expected outcome
I expected the kubernetes.io/tls secret to be successfully imported and for a certificate to show in ACM.

Environment

  • Kubernetes version
    • 1.34
  • Using EKS (yes/no), if so version?
    • v1.34.1-eks-3cfe0ce
  • AWS service targeted (S3, RDS, etc.)
    • ACM

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementCategorizes issue or PR as related to existing feature enhancements.service/acmIndicates issues or PRs that are related to acm-controller.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions