-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Akamai Edge DNS - Support for "Account Switch Key" in DNS01 Solver #6883
Comments
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
This seems like an improvement, we don't have an Akamai environment to test this against but would welcome contributions around this /priority backlog |
Should I make a suggestion here? Wouldn't it be better to create a kind of OutOfBoundDNS01Challenge ?
cert-manager controller would validate/watch the resource with help of a status that can be followed - INITIALIZED - CREATED - TO_BE_PURGED - DELETED - ERROR (again to be defined) and an external controller, that could filter based on the domain name or an optional annotation (or else), would be in charge of the CREATED, TO_BE_PURGED phased and to an extend: ERROR for the statuses, a small definition could be:
I think it would make sense, this way cert-manager would not have to take care of all implementations of DNS and their different API, it would be delegated to the relevant controller - even proprietary for example. |
Hi @absynth76 !
cert-manager already has a plug-in mechanism for DNS providers using a webhook - https://cert-manager.io/docs/configuration/acme/dns01/webhook/ For example I have a POC DNS provider that uses ExternalDNS under the hook. This idea sounds like a similar thing, but using CRDs instead of webhooks? |
Hi, thanks, sounds like it yes, it would have been easier in my opinion, knowing now cert-manager is creating Challenge CRs (which I did not hear about prior to post my "suggestion") that could have simply be hooked by a third party controller. The webhook achieve the same job I guess, I'll read more about, thank you again for the answer. |
Is your feature request related to a problem? Please describe.
We are using cert-manager with the Akamai DNS01 solver for issuing certificates. Our Akamai setup requires us to use an "account switch key" to interact with the Akamai Edge DNS API. Currently, cert-manager does not support passing an "account switch key" to the Akamai API.
Describe the solution you'd like
We would like cert-manager to support the Akamai "account switch key" in the DNS01 solver. This could be implemented as a new field in the AkamaiDNS01Solver struct, similar to the existing clientTokenSecretRef, clientSecretSecretRef, and accessTokenSecretRef fields. The Akamai client configuration in the DNS01 solver should be updated to use this new field.
From my experience, this parameter is able to be passed using the .edgerc file under "account_key", or in api calls as "accountSwitchKey".
Describe alternatives you've considered
We considered passing the "account switch key" as an environment variable to the cert-manager pod, but this is not a viable solution because the DNS01 solver gets its configuration from the Issuer or ClusterIssuer resource, not from environment variables in the pod.
Additional context
The "account switch key" is a feature of the Akamai Edge DNS API that allows clients to switch between different Akamai accounts. This is required in some Akamai setups.
Environment details (remove if not applicable):
/kind feature
The text was updated successfully, but these errors were encountered: