feat(acme): Add default feature gate for ACME HTTP01 Ingress pathType Exact

[sspreitzer]

Pull Request Motivation

With the release of cert-manager version 1.18.1 the pathType changes from ImplementationSpecific to Exact. This PR implements the feature gate ACMEHTTP01IngressPathTypeExact.

ACMEHTTP01IngressPathTypeExact changes the default pathType for ACME HTTP01 Ingress based challenges to Exact. This security feature ensures that the challenge path (which is an exact path) is not misinterpreted as a regular expression or some other Ingress specific (ImplementationSpecific) parsing. This allows HTTP01 challenges to be solved when using standards compliant Ingress controllers such as Cilium. The old default ImplementationSpecific can be reinstated by disabling this feature gate. You may need to disable the feature for compatibility with ingress-nginx. See version 1.18 release notes.

Kind

/kind feature

Release Note

Add a feature gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge solvers.

[cert-manager-prow]

@sspreitzer: The label(s) kind/release, kind/note cannot be applied, because the repository doesn't have them.

Details

In response to this:

Pull Request Motivation

Kind

/kind

Release Note

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cert-manager-prow]

Hi @sspreitzer. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sspreitzer]

/kind feature

[sspreitzer]

@wallrj Please have a look. There could be some parts missing, eg. tests and e2e tests. If they should be part of this PR.

[wallrj]

/ok-to-test

@sspreitzer I expect the E2E tests will fail since #7792.

• Upgrade ingress-nginx in E2E tests #7792

I'll figure out how to work around that.

[wallrj]

I think what we need to do is --set config.strict-path-validation=false here:

cert-manager/make/e2e-setup.mk

Lines 369 to 388 in 12cad36

	e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ingressnginx) | $(NEEDS_HELM)
	@$(eval TAG=$(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
	$(HELM) repo add ingress-nginx --force-update https://kubernetes.github.io/ingress-nginx >/dev/null
	$(HELM) upgrade \
	--install \
	--wait \
	--version 4.12.3 \
	--namespace ingress-nginx \
	--create-namespace \
	--set controller.image.tag=$(TAG) \
	--set controller.image.registry=registry.k8s.io \
	--set controller.image.digest= \
	--set controller.image.pullPolicy=Never \
	--set controller.service.clusterIP=${SERVICE_IP_PREFIX}.15 \
	--set controller.service.type=ClusterIP \
	--set controller.config.no-tls-redirect-locations= \
	--set admissionWebhooks.enabled=true \
	--set controller.admissionWebhooks.enabled=true \
	--set controller.watchIngressWithoutClass=true \
	ingress-nginx ingress-nginx/ingress-nginx >/dev/null

• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type

And then, ideally, figure out how we can set that to true if the new feature gate is disabled.
Because we run the E2E tests periodically with all the features disabled.

cert-manager/make/e2e-setup.mk

Line 228 in 12cad36

FEATURE_GATES ?= ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true,UseCertificateRequestBasicConstraints=true,NameConstraints=true,OtherNames=true

• https://testgrid.k8s.io/cert-manager-periodics-release-1.18#ci-cert-manager-release-1.18-e2e-v1-33-feature-gates-disabled
• https://github.com/search?q=repo%3Acert-manager/testing%20preset-disable-all-alpha-beta-feature-gates&type=code

If you want to try running some of the E2E tests rather than the whole suite, you can do this:

make e2e-setup
make e2e GINKGO_FOCUS='ACME HTTP01 Issuer \(Ingress\)'

If you want to test the updated code on a real cluster (with cilium installed), you can publish the images to a public registry and deploy to the current cluster in your kubeconfig, as follows:

• [VC-39805] Change the default privateKey.rotationPolicy to Always #7723 (comment)
• Fix AWS Route53 error detection for not-found errors during deletion #7690 (see the E2E testing section in the PR description)

[sspreitzer]

/test pull-cert-manager-master-e2e-v1-33-upgrade

[sspreitzer]

Disabled ingress-nginx's URL path validation for the end to end tests. The validation violates several RFCs used by cert-manager, eg. URL & well-known, #3985, #8615.

[wallrj]

I added an explanatory note, in #7809

• Documentation related to the ACMEHTTP01IngressPathTypeExact feature #7809

[sspreitzer]

@wallrj I believe we are good to go.

Regarding the end to end testing idea of testing cert-manager with a disabled feature, that will be removed in the future:

1. Feature disablement is not tested with any feature at the moment. (As far as I can tell/see.)
2. It does not make sense to end-to-end test features disablements, as they will be removed in the future and are not part of the future expected deterministic behaviour of the software.
3. GA Feature disablements come as a backwards aid, but not as a reliable future option switch and they will be removed in an upcoming release.

Regarding adding cilium ingress as an end-to-test scenario, I would prefer creating an other PR for that implementation.

Insofar, I believe we are ready to merge this contribution. Is the release note sufficient or shall we add some more context?

[atalakey4work]

Due to this change, NGINX Ingress Controller v1.12.3 admission validation web hook is throwing the below error which is preventing the ingress creation:

admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: ingress contains invalid paths: path /.well-known/acme-challenge/TOKEN cannot be used with pathType Exact

[sspreitzer]

@atalakey4work please read: https://cert-manager.io/docs/releases/release-notes/release-notes-1.18#acme-http01-challenge-paths-are-rejected-by-the-ingress-nginx-validating-webhook

[atalakey4work]

@sspreitzer thank you for sharing. It is clear that this bug needs to be resolved by ingress Nginx maintainers.

[Copilot]

Pull Request Overview

This PR adds a feature gate (ACMEHTTP01IngressPathTypeExact) to control whether ACME HTTP01 Ingress challenge solvers default to pathType Exact or ImplementationSpecific. It introduces new unit tests in the ingress_test.go file, updates ingress creation logic in ingress.go, tweaks e2e test configuration in make/e2e-setup.mk, and adds the new feature flag in the internal/controller/feature/features.go file.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
pkg/issuer/acme/http/ingress_test.go	Added tests to validate Ingress pathType behavior based on the feature gate
pkg/issuer/acme/http/ingress.go	Updated Ingress creation logic to select the correct pathType
make/e2e-setup.mk	Added configuration to disable strict path type validation for e2e tests
internal/controller/feature/features.go	Added and documented the new ACMEHTTP01IngressPathTypeExact feature flag

Comments suppressed due to low confidence (1)

internal/controller/feature/features.go:181

• There appears to be an extra backtick in the documentation comment. Consider changing pathType`` to pathType` for clarity and consistency.

// `ACMEHTTP01IngressPathTypeExact` changes the default `pathType`` for ACME

[wallrj]

Thanks @sspreitzer

This looks good enough to me.
Let's merge it and tomorrow
I didn't mean that you should add automated cilium tests. I just meant that you should do a manual E2E test to verity that cert-manager HTTP01 can now be used with the cilium ingress.

Similarly, I'll go through the https://cert-manager.io/docs/tutorials/acme/nginx-ingress/ tutorial to see for myself that disabling the feature gate allows me to use ingress-nginx 4.12....we'll need to add a note to that tutorial.

There's a tiny typo in the feature gate docs which we can address in an another PR.

And I want to update this section in the helm chart before we release 1.18.1, with this and another new feature gate.

cert-manager/deploy/charts/cert-manager/values.yaml

Lines 237 to 253 in 12cad36

	# # Feature gates as of v1.18.0. Listed with their default values.
	# # See https://cert-manager.io/docs/cli/controller/
	# featureGates:
	# AdditionalCertificateOutputFormats: true # GA - default=true
	# AllAlpha: false # ALPHA - default=false
	# AllBeta: false # BETA - default=false
	# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
	# ExperimentalGatewayAPISupport: true # BETA - default=true
	# LiteralCertificateSubject: true # BETA - default=true
	# NameConstraints: true # BETA - default=true
	# OtherNames: false # ALPHA - default=false
	# SecretsFilteredCaching: true # BETA - default=true
	# ServerSideApply: false # ALPHA - default=false
	# StableCertificateRequestName: true # BETA - default=true
	# UseCertificateRequestBasicConstraints: false # ALPHA - default=false
	# UseDomainQualifiedFinalizer: true # GA - default=true
	# ValidateCAA: false # ALPHA - default=false

And I'll need to update the cert-manager documentation with this new featuregate.

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj]

/cherry-pick release-1.18

[cert-manager-bot]

@wallrj: #7795 failed to apply on top of branch "release-1.18":

Applying: feat(acme): Add default feature gate to set Ingress pathType to Exact
Using index info to reconstruct a base tree...
M	make/e2e-setup.mk
M	pkg/issuer/acme/http/ingress_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/issuer/acme/http/ingress_test.go
Auto-merging make/e2e-setup.mk
CONFLICT (content): Merge conflict in make/e2e-setup.mk
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 feat(acme): Add default feature gate to set Ingress pathType to Exact

Details

In response to this:

/cherry-pick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[wallrj]

/cherry-pick release-1.18

[cert-manager-bot]

@wallrj: new pull request created: #7810

Details

In response to this:

/cherry-pick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[wallrj]

Testing

I temporarily re-enabled the ingress-nginx strict-validate-path feature

_bin/tools/helm upgrade \
                                                                 --install \
                                                                 --wait \
                                                                 --version 4.12.3 \
                                                                 --namespace ingress-nginx \
                                                                 --create-namespace \
                                                                 --set controller.image.tag=v1.12.3 \
                                                                 --set controller.image.registry=registry.k8s.io \
                                                                 --set controller.image.digest= \
                                                                 --set controller.image.pullPolicy=Never \
                                                                 --set controller.service.clusterIP=10.0.0.15 \
                                                                 --set controller.service.type=ClusterIP \
                                                                 --set controller.config.no-tls-redirect-locations= \
                                                                 --set-string controller.config.strict-validate-path-type=true \
                                                                 --set admissionWebhooks.enabled=true \
                                                                 --set controller.admissionWebhooks.enabled=true \
                                                                 --set controller.watchIngressWithoutClass=true \
                                                                 ingress-nginx ingress-nginx/ingress-nginx

Observed the E2E tests fail:

make e2e GINKGO_FOCUS='ACME HTTP01 Issuer \(Ingress\)'

kubectl logs -n ingress-nginx deployments/ingress-nginx-controller controller --follow
...

E0617 15:18:17.498281 11 main.go:96] "invalid ingress configuration" err="ingress contains invalid paths: path /.well-known/acme-challenge/x__34KyXMhSW2HcazsO3wipzzuqlvN_nz8vmUzdKjWg cannot be used with pathType Exact" ingress="e2e-tests-certificatesigningrequests-6lpmf/cm-acme-http-solver-5v428"

$ kubectl  -n cert-manager logs deployments/cert-manager --follow
...

W0617 15:18:17.501566 1 warnings.go:70] path /.well-known/acme-challenge/x__34KyXMhSW2HcazsO3wipzzuqlvN_nz8vmUzdKjWg cannot be used with pathType Exact
E0617 15:18:17.501845 1 controller.go:157] "re-queuing item due to error processing" err="admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: ingress contains invalid paths: path /.well-known/acme-challenge/x__34KyXMhSW2HcazsO3wipzzuqlvN_nz8vmUzdKjWg cannot be used with pathType Exact" logger="cert-manager.controller"

Verified that I can disable the ACMEHTTP01IngressPathTypeExact feature.
Here I modified the Helm values which are used in the E2E tests.

acmesolver:
  image:
    repository: cert-manager-acmesolver-amd64
    tag: v1.18.0-17-g379f43e3de2237
cainjector:
  extraArgs:
  - --feature-gates=ServerSideApply=true
  image:
    repository: cert-manager-cainjector-amd64
    tag: v1.18.0-17-g379f43e3de2237
crds:
  enabled: true
dns01RecursiveNameservers: 10.0.0.16:53
dns01RecursiveNameserversOnly: true
extraArgs:
- --kube-api-qps=9000
- --kube-api-burst=9000
- --concurrent-workers=200
- --enable-gateway-api
featureGates: ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true,UseCertificateRequestBasicConstraints=true,NameConstraints=true,OtherNames=true,ACMEHTTP01IngressPathTypeExact=false
image:
  repository: cert-manager-controller-amd64
  tag: v1.18.0-17-g379f43e3de2237
startupapicheck:
  image:
    repository: cert-manager-startupapicheck-amd64
    tag: v1.18.0-17-g379f43e3de2237
webhook:
  featureGates: LiteralCertificateSubject=true,NameConstraints=true,OtherNames=true
  image:
    repository: cert-manager-webhook-amd64
    tag: v1.18.0-17-g379f43e3de2237

$ kubectl  -n cert-manager logs deployments/cert-manager --follow
...

W0617 15:26:16.280677 1 feature_gate.go:354] Setting GA feature gate ACMEHTTP01IngressPathTypeExact=false. It will be removed in a future release.

Now the E2E tests pass:

$make e2e GINKGO_FOCUS='ACME HTTP01 Issuer \(Ingress\)'
...
[Conformance] Certificates with External Account Binding CertificateSigningRequest with issuer type ACME HTTP01 Issuer (Ingress) should issue an ECDSA certificate for a single distinct DNS Name
/home/richard/projects/cert-manager/cert-manager/test/e2e/suite/conformance/certificatesigningrequests/suite.go:149
  STEP: Creating a kubernetes client @ 06/17/25 16:34:37.863
  STEP: Creating an API extensions client @ 06/17/25 16:34:37.864
  STEP: Creating a cert manager client @ 06/17/25 16:34:37.864
  STEP: Creating a controller-runtime client @ 06/17/25 16:34:37.864
  STEP: Creating a gateway-api client @ 06/17/25 16:34:37.864
  STEP: Building a namespace api object @ 06/17/25 16:34:37.864
  STEP: Using the namespace e2e-tests-certificatesigningrequests-rmw6f @ 06/17/25 16:34:37.866
  STEP: Building a ResourceQuota api object @ 06/17/25 16:34:37.866
  STEP: Creating an issuer resource @ 06/17/25 16:34:37.874
  STEP: Creating an ACME HTTP01 Issuer @ 06/17/25 16:34:37.877
  STEP: Waiting for acme HTTP01 Issuer to be Ready @ 06/17/25 16:34:37.887
  Jun 17 16:34:37.889: INFO: Expected Issuer acme-issuer-http01-4c9r5 condition Ready=True but it has: []
  Jun 17 16:34:38.392: INFO: Expected Issuer acme-issuer-http01-4c9r5 condition Ready=True but it has: [] (took 0s)
  STEP: Creating a CertificateSigningRequest @ 06/17/25 16:34:38.392
  STEP: Approving CertificateSigningRequest @ 06/17/25 16:34:38.397
  STEP: Waiting for the CertificateSigningRequest to be issued... @ 06/17/25 16:34:38.402
  Jun 17 16:34:38.402: INFO: Waiting for CertificateSigningRequest e2e-conformance-cq797qll7z to be ready
  Jun 17 16:34:43.402: INFO: Waiting for CertificateSigningRequest e2e-conformance-cq797qll7z to be ready
  Jun 17 16:34:51.779: INFO: Waiting for CertificateSigningRequest e2e-conformance-cq797qll7z to be ready
  Jun 17 16:34:59.778: INFO: Waiting for CertificateSigningRequest e2e-conformance-cq797qll7z to be ready
  Jun 17 16:35:02.781: INFO: Waiting for CertificateSigningRequest e2e-conformance-cq797qll7z to be ready (took 22s)
  STEP: Validating the issued CertificateSigningRequest... @ 06/17/25 16:35:02.781
  STEP: Cleaning up the issuer resource @ 06/17/25 16:35:02.791
  STEP: Deleting test namespace @ 06/17/25 16:35:02.795
• [22.560 seconds]

[wallrj]

Also checked that I can disable the feature via the config file

# values.yaml
config:
  featureGates:
    # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
    # https://github.com/kubernetes/ingress-nginx/issues/11176
    ACMEHTTP01IngressPathTypeExact: false

helm upgrade -n cert-manager cert-manager _bin/cert-manager.tgz --values values.yaml

$ kubectl  -n cert-manager logs deployments/cert-manager --follow
W0617 15:42:25.514056       1 feature_gate.go:354] Setting GA feature gate ACMEHTTP01IngressPathTypeExact=false. It will be removed in a future release.

[wallrj]

This should be featuregate.Beta, like DefaultPrivateKeyRotationPolicyAlways above it.
It'll cause it to be turned on by default, but won't show a warning in the logs if you disable it.

[wallrj]

• Change ACMEHTTP01IngressPathTypeExact feature to beta #7813