Warn users not to use insecure TSIG algorithms when using DNS UPDATE and ACME DNS01

[wallrj]

• SHA1 and MD5 are allowed by our API but they are insecure.
• We could return a deprecation warning if those are used.

cert-manager/internal/apis/certmanager/validation/issuer.go

Lines 386 to 392 in 833311d

	// This list must be kept in sync with pkg/issuer/acme/dns/rfc2136/rfc2136.go
	var supportedTSIGAlgorithms = []string{
	"HMACMD5",
	"HMACSHA1",
	"HMACSHA256",
	"HMACSHA512",
	}

Links

• https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/
• https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderRFC2136
• Use our own implementation of miekg/dns.TsigProvider interface #4958
• RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE)

Originally posted by @inteon in #6579 (comment)

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[cert-manager-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

[cert-manager-prow]

@cert-manager-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.