fix(deps): major upgrade of Akamai SDK by hjoshi123 · Pull Request #8003 · cert-manager/cert-manager

hjoshi123 · 2025-08-24T16:40:08Z

Pull Request Motivation

This PR addresses sdk related changes for akamai dns provider. Akamai has changed their sdk and v1 is no longer backwards compatible.

Kind

/kind cleanup

Release Note

Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure.

pkg/issuer/acme/dns/akamai/akamai.go

inteon · 2025-08-25T07:40:01Z

/approve
Need someone else to lgtm when they think this will work as expected.

cert-manager-prow · 2025-08-25T07:40:08Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

pkg/issuer/acme/dns/akamai/akamai.go

erikgb · 2025-08-25T16:54:25Z

Maybe we should ask on #cert-manager Slack if any users are using Akamai DNS and could help us verify this upgrade? @hjoshi123, WDYT, and do you want to follow up on this?

hjoshi123 · 2025-08-25T17:03:13Z

Yes @erikgb I can do a follow up on the cert-mgr channel.. since the tests we wrote are stubbed clients it would be nice to get someone to test it out

erikgb

Some minor nits from me remaining now. Soft LGTM! Great work!

pkg/issuer/acme/dns/akamai/akamai.go

erikgb · 2025-08-25T18:21:39Z

/hold

Until we can get a user of Akamai DNS for ACME to end-to-end test this.

pkg/issuer/acme/dns/akamai/akamai.go

Signed-off-by: hjoshi123 <mail@hjoshi.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> changed references to opendnsclient Signed-off-by: hjoshi123 <mail@hjoshi.me> Use edgegrid.New options Signed-off-by: Erik Godding Boye <egboye@gmail.com> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me> Update pkg/issuer/acme/dns/akamai/akamai.go Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hemant Joshi <mail2hemantjoshi@pm.me>

erikgb

/lgtm

But let's hold this for a couple of days to see if any Akamai DNS user can help us test this end-to-end.

ThatsMrTalbot · 2025-08-27T11:32:27Z

pkg/issuer/acme/dns/akamai/akamai.go

 	}

-	_, ok := err.(*dns.RecordError)
+	_, ok := err.(*dns.Error)


Should we use errors.Is instead of a type cast? It handles error wrapping.

Good point, but my idea was to make this major upgrade PR as minimal as possible.

But I agree this could be fixed here also.

erikgb · 2025-08-28T15:46:05Z

@inteon, we didn't get any response on our attempt to get someone to test this. Should we just merge this and ensure we add a note about this in the release notes.

@hjoshi123 Can you please fill in a release note entry (in the PR description).

hjoshi123 · 2025-08-28T15:53:40Z

/release-note-edit

Major upgrade of Akamai SDK. NOTE that this version is not end-to-end tested

erikgb · 2025-08-29T11:47:32Z

/unhold

hjoshi123 · 2025-08-29T11:53:28Z

/retest

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://cert-manager.io) ([source](https://github.com/cert-manager/cert-manager)) | minor | `v1.18.2` -> `v1.19.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.19.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.19.0) [Compare Source](cert-manager/cert-manager@v1.18.2...v1.19.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues. > 📖 Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19> Changes since `v1.18.0`: #### Feature - Add IPv6 rules to the default network policy ([#7726](cert-manager/cert-manager#7726), [@jcpunk](https://github.com/jcpunk)) - Add `global.nodeSelector` to helm chart to allow for a single `nodeSelector` to be set across all services. ([#7818](cert-manager/cert-manager#7818), [@StingRayZA](https://github.com/StingRayZA)) - Add a feature gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge solvers. ([#7795](cert-manager/cert-manager#7795), [@sspreitzer](https://github.com/sspreitzer)) - Add generated `applyconfigurations` allowing clients to make type-safe server-side apply requests for cert-manager resources. ([#7866](cert-manager/cert-manager#7866), [@erikgb](https://github.com/erikgb)) - Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). ([#7414](cert-manager/cert-manager#7414), [@erikgb](https://github.com/erikgb)) - Added `certmanager_certificate_challenge_status` Prometheus metric. ([#7736](cert-manager/cert-manager#7736), [@hjoshi123](https://github.com/hjoshi123)) - Added `protocol` field for `rfc2136` DNS01 provider ([#7881](cert-manager/cert-manager#7881), [@hjoshi123](https://github.com/hjoshi123)) - Added experimental field `hostUsers` flag to all pods. Not set by default. ([#7973](cert-manager/cert-manager#7973), [@hjoshi123](https://github.com/hjoshi123)) - Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global `--acme-http01-solver-resource-*` settings. ([#7972](cert-manager/cert-manager#7972), [@lunarwhite](https://github.com/lunarwhite)) - The `CAInjectorMerging` feature has been promoted to BETA and is now enabled by default ([#8017](cert-manager/cert-manager#8017), [@ThatsMrTalbot](https://github.com/ThatsMrTalbot)) - The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. ([#8072](cert-manager/cert-manager#8072), [@prasad89](https://github.com/prasad89)) - Updated `certificate` metrics to the collector approach. ([#7856](cert-manager/cert-manager#7856), [@hjoshi123](https://github.com/hjoshi123)) #### Bug or Regression - ACME: Increased challenge authorization timeout to 2 minutes to fix `error waiting for authorization` ([#7796](cert-manager/cert-manager#7796), [@hjoshi123](https://github.com/hjoshi123)) - BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints ([#7816](cert-manager/cert-manager#7816), [@kinolaev](https://github.com/kinolaev)) - Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously ([#8021](cert-manager/cert-manager#8021), [@lunarwhite](https://github.com/lunarwhite)) - Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities ([#7961](cert-manager/cert-manager#7961), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Reverted adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#7836](cert-manager/cert-manager#7836), [@inteon](https://github.com/inteon)) - This change removes the `path` label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. ([#8109](cert-manager/cert-manager#8109), [@mladen-rusev-cyberark](https://github.com/mladen-rusev-cyberark)) - Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility ([#7792](cert-manager/cert-manager#7792), [@wallrj](https://github.com/wallrj)) #### Other (Cleanup or Flake) - Helm: Fix naming template of `tokenrequest` RoleBinding resource to improve consistency ([#7761](cert-manager/cert-manager#7761), [@lunarwhite](https://github.com/lunarwhite)) - Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data ([#7928](cert-manager/cert-manager#7928), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure. ([#8003](cert-manager/cert-manager#8003), [@hjoshi123](https://github.com/hjoshi123)) - Update kind images to include the Kubernetes 1.33 node image ([#7786](cert-manager/cert-manager#7786), [@wallrj](https://github.com/wallrj)) - Use `maps.Copy` for cleaner map handling ([#8092](cert-manager/cert-manager#8092), [@quantpoet](https://github.com/quantpoet)) - Vault: Migrate Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api` client. ([#8059](cert-manager/cert-manager#8059), [@armagankaratosun](https://github.com/armagankaratosun)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1711 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

wallrj-cyberark · 2025-10-15T16:08:42Z

@hjoshi123 We have released this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1

hjoshi123 force-pushed the fix/akamai-upgrade-sdk branch from 81aece0 to 0048873 Compare August 24, 2025 20:25

erikgb force-pushed the fix/akamai-upgrade-sdk branch from 0048873 to c6fbdba Compare August 24, 2025 21:47

hjoshi123 force-pushed the fix/akamai-upgrade-sdk branch from c6fbdba to 2675c23 Compare August 24, 2025 21:59

hjoshi123 changed the title ~~WIP fix(dns): upgrading akamai provider~~ fix(dns): upgrading akamai provider Aug 24, 2025

cert-manager-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 24, 2025

erikgb reviewed Aug 24, 2025

View reviewed changes

pkg/issuer/acme/dns/akamai/akamai.go Outdated Show resolved Hide resolved

pkg/issuer/acme/dns/akamai/akamai.go Outdated Show resolved Hide resolved

hjoshi123 force-pushed the fix/akamai-upgrade-sdk branch from 2675c23 to 8f2df05 Compare August 24, 2025 23:47

hjoshi123 requested a review from erikgb August 24, 2025 23:48

cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2025