ACK Cloudfront Controller - Distribution - specs are mutated when using acmCertificateRef

[nicolascollet-aldebarancom]

Describe the bug
Specs are mutated when using acmCertificateRef

Steps to reproduce

Create Distribution

$ kubectl apply -f - <<EOF
apiVersion: cloudfront.services.k8s.aws/v1alpha1
kind: Distribution
metadata:
  name: foo-bar
spec:
  distributionConfig:
    aliases:
      items:
      - foo.bar
    cacheBehaviors: {}
    comment: distribution for foo.bar
    customErrorResponses: {}
    defaultCacheBehavior:
      allowedMethods:
        cachedMethods:
          items:
          - HEAD
          - GET
          - OPTIONS
        items:
        - HEAD
        - GET
        - OPTIONS
      compress: true
      defaultTTL: 0
      fieldLevelEncryptionID: ""
      forwardedValues:
        cookies:
          forward: none
        headers: {}
        queryString: false
        queryStringCacheKeys: {}
      functionAssociations: {}
      lambdaFunctionAssociations: {}
      maxTTL: 0
      minTTL: 0
      smoothStreaming: false
      targetOriginID: eks_ingress
      trustedKeyGroups:
        enabled: false
      trustedSigners:
        enabled: false
      viewerProtocolPolicy: redirect-to-https
    defaultRootObject: index.html
    enabled: true
    httpVersion: http2
    logging:
      bucket: ""
      enabled: false
      includeCookies: false
      prefix: ""
    origins:
      items:
      - connectionAttempts: 3
        connectionTimeout: 10
        customHeaders: {}
        customOriginConfig:
          httpPort: 80
          httpSPort: 443
          originKeepaliveTimeout: 5
          originProtocolPolicy: match-viewer
          originReadTimeout: 30
          originSSLProtocols:
            items:
              - TLSv1.2
        domainName: foo.baz
        id: eks_ingress
        originAccessControlID: ""
        originPath: ""
        originShield:
          enabled: false
    priceClass: PriceClass_All
    restrictions:
      geoRestriction:
        restrictionType: none
    viewerCertificate:
      acmCertificateRef:
        from:
          name: foo-bar
      certificateSource: acm
      minimumProtocolVersion: TLSv1.2_2021
      sslSupportMethod: sni-only
    webACLID: ""
EOF
distribution.cloudfront.services.k8s.aws/foo-bar created

Check Distribution

kubectl get distributions.cloudfront.services.k8s.aws foo-bar -o=jsonpath='{.spec.distributionConfig.viewerCertificate}' |yq -P

acmCertificateARN: arn:aws:acm:us-east-1:123456789:certificate/8c7f71cf-de08-41d3-afb5-79feca3c2fd8
certificate: arn:aws:acm:us-east-1:123456789:certificate/8c7f71cf-de08-41d3-afb5-79feca3c2fd8
certificateSource: acm
minimumProtocolVersion: TLSv1.2_2021
sslSupportMethod: sni-only

Expected outcome

specs should not be mutated

kubectl get distributions.cloudfront.services.k8s.aws foo-bar -o=jsonpath='{.spec.distributionConfig.viewerCertificate}' |yq -P

acmCertificateRef:
  from:
    name: pbs-front-svelte
certificateSource: acm
minimumProtocolVersion: TLSv1.2_2021
sslSupportMethod: sni-only

and when using a gitops tool likes ArgoCD, an error occured :

  conditions:
    - lastTransitionTime: '2024-06-18T00:34:04Z'
      message: Reference resolution failed
      reason: >-
        both resource reference wrapper and ID cannot be used together:
        DistributionConfig.ViewerCertificate.ACMCertificateARN,DistributionConfig.ViewerCertificate.ACMCertificateRef
      status: Unknown
      type: ACK.ReferencesResolved

Environment

• Kubernetes version : 1.28
• Using EKS (yes/no), if so version? v1.28.1-eks-43840fb
• AWS service targeted (S3, RDS, etc.) : cloudfront, acm

[a-hilaly]

This looks a lot like the one mentioned in #1855. It's a weird issue with field references that only happens during resource creation. However once you fix the Custom Resource (by only keeping the references and removing their resolved values), updates work just fine without any problems

[a-hilaly]

We'll probably fix this while implementing dynamic references #1576 ~