Skip to content

feat(rfc2136): new protocol field for dns update#7881

Merged
cert-manager-prow[bot] merged 1 commit intocert-manager:masterfrom
hjoshi123:feat/protocol-dns-update
Aug 7, 2025
Merged

feat(rfc2136): new protocol field for dns update#7881
cert-manager-prow[bot] merged 1 commit intocert-manager:masterfrom
hjoshi123:feat/protocol-dns-update

Conversation

@hjoshi123
Copy link
Copy Markdown
Collaborator

@hjoshi123 hjoshi123 commented Jul 26, 2025

Pull Request Motivation

Fixes #7849

Kind

/kind feature

Release Note

added `protocol` field for `rfc2136` DNS01 provider

@cert-manager-prow cert-manager-prow bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/acme Indicates a PR directly modifies the ACME Issuer code area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 26, 2025
@hjoshi123
Copy link
Copy Markdown
Collaborator Author

hjoshi123 commented Jul 26, 2025

/ok-to-test

@hjoshi123 hjoshi123 force-pushed the feat/protocol-dns-update branch from 051171b to 2579ad7 Compare July 28, 2025 13:33
erikgb
erikgb reviewed Aug 1, 2025
View reviewed changes
erikgb
erikgb reviewed Aug 1, 2025
View reviewed changes
erikgb
erikgb reviewed Aug 1, 2025
View reviewed changes
@hjoshi123 hjoshi123 force-pushed the feat/protocol-dns-update branch 2 times, most recently from ce8ed40 to ee33e41 Compare August 2, 2025 23:01
@hjoshi123 hjoshi123 requested a review from erikgb August 2, 2025 23:27
erikgb
erikgb reviewed Aug 3, 2025
View reviewed changes
erikgb
erikgb reviewed Aug 3, 2025
View reviewed changes
@hjoshi123 hjoshi123 force-pushed the feat/protocol-dns-update branch 3 times, most recently from be42f14 to 3dbfc6b Compare August 5, 2025 17:52
@hjoshi123 hjoshi123 requested a review from erikgb August 6, 2025 13:35
erikgb
erikgb reviewed Aug 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for following up on this, @hjoshi123! Looks good, and I think this is close to LGTM from me. I just did a more detailed review and added a few nit comments.

/approve

pkg/issuer/acme/dns/rfc2136/rfc2136.go Outdated
Comment on lines +59 to +65
func WithNetwork(protocol string) ProviderOption {
return func(d *DNSProvider) {
if protocol == "" {
protocol = strings.ToLower(string(cmacme.RFC2136UpdateProtocolUDP))
}
d.network = strings.ToLower(protocol)
}
}
Copy link
Copy Markdown
Member

@erikgb erikgb Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func WithNetwork(protocol string) ProviderOption {
return func(d *DNSProvider) {
if protocol == "" {
protocol = strings.ToLower(string(cmacme.RFC2136UpdateProtocolUDP))
}
d.network = strings.ToLower(protocol)
}
}
func WithNetwork(network string) ProviderOption {
return func(d *DNSProvider) {
if network == "" {
network = "udp"
}
d.network = strings.ToLower(network)
}
}

We could also move the strings.ToLower conversion outside this function, to avoid having 3 representations of the same thing. 😉

@cert-manager-prow
Copy link
Copy Markdown
Contributor

cert-manager-prow bot commented Aug 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2025
erikgb
erikgb reviewed Aug 6, 2025
View reviewed changes
@hjoshi123 hjoshi123 force-pushed the feat/protocol-dns-update branch from 3dbfc6b to 8c29cb6 Compare August 6, 2025 22:02
@hjoshi123
Copy link
Copy Markdown
Collaborator Author

hjoshi123 commented Aug 6, 2025

@erikgb thank you for those nits.. changed it and we should be good now.. Would really love to shadow you for a code review so that I can help out in those too

@hjoshi123
added protocol field and codegen
945f656 
Signed-off-by: hjoshi123 <mail@hjoshi.me>

Simplify options pattern use

Signed-off-by: Erik Godding Boye <egboye@gmail.com>
Signed-off-by: hjoshi123 <mail@hjoshi.me>
@hjoshi123 hjoshi123 force-pushed the feat/protocol-dns-update branch from 8c29cb6 to 945f656 Compare August 6, 2025 22:09
erikgb
erikgb reviewed Aug 7, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @hjoshi123! 🚀 I think this looks good now! Hopefully some of the requesters of this feature can test it when available in an alpha release of cert-manager 1.19.

/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2025
@cert-manager-prow cert-manager-prow bot merged commit 466a31e into cert-manager:master Aug 7, 2025
6 checks passed
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Oct 8, 2025
@alexlebens
Update Helm release cert-manager to v1.19.0 (#1711)
c18d3e5 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cert-manager](https://cert-manager.io) ([source](https://github.com/cert-manager/cert-manager)) | minor | `v1.18.2` -> `v1.19.0` |

---

### Release Notes

<details>
<summary>cert-manager/cert-manager (cert-manager)</summary>

### [`v1.19.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.19.0)

[Compare Source](cert-manager/cert-manager@v1.18.2...v1.19.0)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.

> 📖  Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19>

Changes since `v1.18.0`:

#### Feature

- Add IPv6 rules to the default network policy ([#&#8203;7726](cert-manager/cert-manager#7726), [@&#8203;jcpunk](https://github.com/jcpunk))
- Add `global.nodeSelector` to helm chart to allow for a single `nodeSelector` to be set across all services. ([#&#8203;7818](cert-manager/cert-manager#7818), [@&#8203;StingRayZA](https://github.com/StingRayZA))
- Add a feature gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge solvers. ([#&#8203;7795](cert-manager/cert-manager#7795), [@&#8203;sspreitzer](https://github.com/sspreitzer))
- Add generated `applyconfigurations` allowing clients to make type-safe server-side apply requests for cert-manager resources. ([#&#8203;7866](cert-manager/cert-manager#7866), [@&#8203;erikgb](https://github.com/erikgb))
- Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). ([#&#8203;7414](cert-manager/cert-manager#7414), [@&#8203;erikgb](https://github.com/erikgb))
- Added `certmanager_certificate_challenge_status` Prometheus metric. ([#&#8203;7736](cert-manager/cert-manager#7736), [@&#8203;hjoshi123](https://github.com/hjoshi123))
- Added `protocol` field for `rfc2136` DNS01 provider ([#&#8203;7881](cert-manager/cert-manager#7881), [@&#8203;hjoshi123](https://github.com/hjoshi123))
- Added experimental field `hostUsers` flag to all pods. Not set by default. ([#&#8203;7973](cert-manager/cert-manager#7973), [@&#8203;hjoshi123](https://github.com/hjoshi123))
- Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global `--acme-http01-solver-resource-*` settings. ([#&#8203;7972](cert-manager/cert-manager#7972), [@&#8203;lunarwhite](https://github.com/lunarwhite))
- The `CAInjectorMerging` feature has been promoted to BETA and is now enabled by default ([#&#8203;8017](cert-manager/cert-manager#8017), [@&#8203;ThatsMrTalbot](https://github.com/ThatsMrTalbot))
- The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. ([#&#8203;8072](cert-manager/cert-manager#8072), [@&#8203;prasad89](https://github.com/prasad89))
- Updated `certificate` metrics to the collector approach. ([#&#8203;7856](cert-manager/cert-manager#7856), [@&#8203;hjoshi123](https://github.com/hjoshi123))

#### Bug or Regression

- ACME: Increased challenge authorization timeout to 2 minutes to fix `error waiting for authorization` ([#&#8203;7796](cert-manager/cert-manager#7796), [@&#8203;hjoshi123](https://github.com/hjoshi123))
- BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints ([#&#8203;7816](cert-manager/cert-manager#7816), [@&#8203;kinolaev](https://github.com/kinolaev))
- Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously ([#&#8203;8021](cert-manager/cert-manager#8021), [@&#8203;lunarwhite](https://github.com/lunarwhite))
- Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities ([#&#8203;7961](cert-manager/cert-manager#7961), [@&#8203;SgtCoDFish](https://github.com/SgtCoDFish))
- Reverted adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#&#8203;7836](cert-manager/cert-manager#7836), [@&#8203;inteon](https://github.com/inteon))
- This change removes the `path` label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. ([#&#8203;8109](cert-manager/cert-manager#8109), [@&#8203;mladen-rusev-cyberark](https://github.com/mladen-rusev-cyberark))
- Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility ([#&#8203;7792](cert-manager/cert-manager#7792), [@&#8203;wallrj](https://github.com/wallrj))

#### Other (Cleanup or Flake)

- Helm: Fix naming template of `tokenrequest` RoleBinding resource to improve consistency ([#&#8203;7761](cert-manager/cert-manager#7761), [@&#8203;lunarwhite](https://github.com/lunarwhite))
- Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data ([#&#8203;7928](cert-manager/cert-manager#7928), [@&#8203;SgtCoDFish](https://github.com/SgtCoDFish))
- Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure. ([#&#8203;8003](cert-manager/cert-manager#8003), [@&#8203;hjoshi123](https://github.com/hjoshi123))
- Update kind images to include the Kubernetes 1.33 node image ([#&#8203;7786](cert-manager/cert-manager#7786), [@&#8203;wallrj](https://github.com/wallrj))
- Use `maps.Copy` for cleaner map handling ([#&#8203;8092](cert-manager/cert-manager#8092), [@&#8203;quantpoet](https://github.com/quantpoet))
- Vault: Migrate Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api` client. ([#&#8203;8059](cert-manager/cert-manager#8059), [@&#8203;armagankaratosun](https://github.com/armagankaratosun))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzUuNCIsInVwZGF0ZWRJblZlciI6IjQxLjEzNS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFydCJdfQ==-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1711
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
@wallrj-cyberark
Copy link
Copy Markdown
Member

wallrj-cyberark commented Oct 15, 2025

@hjoshi123 We have released this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikgb erikgb erikgb left review comments

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/dns01 Indicates a PR modifies ACME DNS01 provider code area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

dns-update (rfc2136) over TCP (rfc1035)

3 participants

@hjoshi123 @wallrj-cyberark @erikgb