Add support for explicit template selection.

Nick Perry · Nick Perry · commit 7b0d4eea0868 · 2025-11-10T03:21:20.000Z
- Added ExplicitTemplateSelection field to AWSPCAIssuerSpec to control
  the usage of the aws-privateca.cert-manager.io/template-arn annotation.
- Added resolveTemplateArn function which uses
  aws-privateca.cert-manager.io/template-arn annotation if
  ExplicitTemplateSelection is true.
- Updated PCAProvisioner to call resolveTemplateArn.
- Added unit tests for the new behavior.

Signed-off-by: Nick Perry &lt;nick@nickperry.co.uk&gt;
diff --git a/charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaclusterissuers.yaml b/charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaclusterissuers.yaml
@@ -43,6 +43,13 @@ spec:
               arn:
                 description: Specifies the ARN of the PCA resource
                 type: string
+              explicitTemplateSelection:
+                description: |-
+                  When set to true, Certificates can explicitly select a specific
+                  PCA template via the aws-privateca.cert-manager.io/template-arn annotation.
+                  When false, this Certifcate annotation will be ignored and template
+                  selection will be based on the Certificate spec.
+                type: boolean
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
diff --git a/charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaissuers.yaml b/charts/aws-pca-issuer/crds/awspca.cert-manager.io_awspcaissuers.yaml
@@ -42,6 +42,13 @@ spec:
               arn:
                 description: Specifies the ARN of the PCA resource
                 type: string
+              explicitTemplateSelection:
+                description: |-
+                  When set to true, Certificates can explicitly select a specific
+                  PCA template via the aws-privateca.cert-manager.io/template-arn annotation.
+                  When false, this Certifcate annotation will be ignored and template
+                  selection will be based on the Certificate spec.
+                type: boolean
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
diff --git a/config/crd/bases/awspca.cert-manager.io_awspcaclusterissuers.yaml b/config/crd/bases/awspca.cert-manager.io_awspcaclusterissuers.yaml
@@ -43,6 +43,13 @@ spec:
               arn:
                 description: Specifies the ARN of the PCA resource
                 type: string
+              explicitTemplateSelection:
+                description: |-
+                  When set to true, Certificates can explicitly select a specific
+                  PCA template via the aws-privateca.cert-manager.io/template-arn annotation.
+                  When false, this Certificate annotation will be ignored and template
+                  selection will be based on the Certificate spec.
+                type: boolean
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
diff --git a/config/crd/bases/awspca.cert-manager.io_awspcaissuers.yaml b/config/crd/bases/awspca.cert-manager.io_awspcaissuers.yaml
@@ -42,6 +42,12 @@ spec:
               arn:
                 description: Specifies the ARN of the PCA resource
                 type: string
+              explicitTemplateSelection:
+                description: |-
+                  When set to true, Certificates can explicitly select a specific
+                  PCA template via the aws-privateca.cert-manager.io/template-arn annotation.
+                  When false, this Certifcate annotation will be ignored and template
+                  selection will be based on the Certificate spec.
               region:
                 description: Should contain the AWS region if it cannot be inferred
                 type: string
diff --git a/pkg/api/v1beta1/awspcaissuer_types.go b/pkg/api/v1beta1/awspcaissuer_types.go
@@ -31,6 +31,14 @@ type AWSPCAIssuerSpec struct {
 
 	// Specifies the ARN of the PCA resource
 	Arn string `json:"arn,omitempty"`
+	// ExplicitTemplateSelection controls whether the issuer will honor the
+	// aws-privateca.cert-manager.io/template-arn annotation on Certificate
+	// resources. When set to true, the annotation (if present) will be used
+	// to select the PCA template ARN. When false, the annotation will be
+	// ignored and the template will be selected based on the Certificate spec.
+	// Defaults to false.
+	// +optional
+	ExplicitTemplateSelection bool `json:"explicitTemplateSelection,omitempty"`
 	// Should contain the AWS region if it cannot be inferred
 	// +optional
 	Region string `json:"region,omitempty"`
diff --git a/pkg/aws/pca.go b/pkg/aws/pca.go
@@ -68,10 +68,11 @@ type acmPCAClient interface {
 
 // PCAProvisioner contains logic for issuing PCA certificates
 type PCAProvisioner struct {
-	pcaClient        acmPCAClient
-	arn              string
-	signingAlgorithm *acmpcatypes.SigningAlgorithm
-	clock            func() time.Time
+	pcaClient                 acmPCAClient
+	arn                       string
+	signingAlgorithm          *acmpcatypes.SigningAlgorithm
+	clock                     func() time.Time
+	explicitTemplateSelection bool
 }
 
 func GetConfig(ctx context.Context, client client.Client, spec *api.AWSPCAIssuerSpec) (aws.Config, error) {
@@ -166,7 +167,8 @@ func GetProvisioner(ctx context.Context, client client.Client, name types.Namesp
 		pcaClient: acmpca.NewFromConfig(config, acmpca.WithAPIOptions(
 			middleware.AddUserAgentKeyValue(injections.UserAgent, injections.PlugInVersion),
 		)),
-		arn: spec.Arn,
+		arn:                       spec.Arn,
+		explicitTemplateSelection: spec.ExplicitTemplateSelection,
 	}
 	collection.Store(name, provisioner)
 
@@ -193,7 +195,8 @@ func (p *PCAProvisioner) Sign(ctx context.Context, cr *cmapi.CertificateRequest,
 		validityExpiration = int64(p.now().Unix()) + int64(cr.Spec.Duration.Seconds())
 	}
 
-	tempArn := templateArn(p.arn, cr.Spec)
+	// Determine template ARN to use
+	tempArn := p.resolveTemplateArn(ctx, cr)
 
 	// Consider it a "retry" if we try to re-create a cert with the same name in the same namespace
 	token := idempotencyToken(cr)
@@ -228,6 +231,27 @@ func (p *PCAProvisioner) Sign(ctx context.Context, cr *cmapi.CertificateRequest,
 	return nil
 }
 
+// resolveTemplateArn determines which PCA template ARN to use for a
+// CertificateRequest.
+//
+// If the CertificateRequest has the annotation
+// "aws-privateca.cert-manager.io/template-arn" and it is non-empty, the
+// value of the annotation is returned. Otherwise, fall back to inference logic
+// implemented by `templateArn`.
+func (p *PCAProvisioner) resolveTemplateArn(ctx context.Context, cr *cmapi.CertificateRequest) string {
+	const annotationKey = "aws-privateca.cert-manager.io/template-arn"
+
+	// Only use the annotation when the Issuer permits it.
+	if p.explicitTemplateSelection {
+		if val, ok := cr.ObjectMeta.GetAnnotations()[annotationKey]; ok && strings.TrimSpace(val) != "" {
+			return val
+		}
+	}
+
+	// Fall back to inference logic based on spec
+	return templateArn(p.arn, cr.Spec)
+}
+
 func (p *PCAProvisioner) Get(ctx context.Context, cr *cmapi.CertificateRequest, certArn string, log logr.Logger) ([]byte, []byte, error) {
 	getParams := acmpca.GetCertificateInput{
 		CertificateArn:          aws.String(certArn),
diff --git a/pkg/aws/pca_test.go b/pkg/aws/pca_test.go
@@ -818,6 +818,35 @@ func TestPCASign(t *testing.T) {
 	}
 }
 
+func TestResolveTemplateArn_ExplicitSelection(t *testing.T) {
+	// Set up a minimal CSR
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
+	csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, key)
+
+	// Case 1: Issuer enables explicit template selection; annotation should be used
+	crWithAnnotation := &cmapi.CertificateRequest{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"aws-privateca.cert-manager.io/template-arn": "arn:custom:template/Custom/V1",
+			},
+		},
+		Spec: cmapi.CertificateRequestSpec{
+			Request: pem.EncodeToMemory(&pem.Block{Bytes: csrBytes, Type: "CERTIFICATE REQUEST"}),
+		},
+	}
+
+	p := PCAProvisioner{arn: arn, pcaClient: &workingACMPCAClient{}, explicitTemplateSelection: true}
+	got := p.resolveTemplateArn(context.TODO(), crWithAnnotation)
+	assert.Equal(t, "arn:custom:template/Custom/V1", got, "should return the annotation when explicit selection enabled")
+
+	// Case 2: Issuer disables explicit template selection; annotation should be ignored
+	crWithAnnotation2 := crWithAnnotation.DeepCopy()
+	p2 := PCAProvisioner{arn: arn, pcaClient: &workingACMPCAClient{}, explicitTemplateSelection: false}
+	got2 := p2.resolveTemplateArn(context.TODO(), crWithAnnotation2)
+	// Should fall back to inference based on usages (none -> BlankEndEntity...)
+	assert.True(t, strings.HasSuffix(got2, ":acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1"), "should fall back to inferred template when explicit selection disabled")
+}
+
 func TestPCASignValidity(t *testing.T) {
 	now := time.Now()
 	client := &workingACMPCAClient{}
