Akamai Edge DNS - Support for "Account Switch Key" in DNS01 Solver

[Aransh]

Is your feature request related to a problem? Please describe.
We are using cert-manager with the Akamai DNS01 solver for issuing certificates. Our Akamai setup requires us to use an "account switch key" to interact with the Akamai Edge DNS API. Currently, cert-manager does not support passing an "account switch key" to the Akamai API.

Describe the solution you'd like
We would like cert-manager to support the Akamai "account switch key" in the DNS01 solver. This could be implemented as a new field in the AkamaiDNS01Solver struct, similar to the existing clientTokenSecretRef, clientSecretSecretRef, and accessTokenSecretRef fields. The Akamai client configuration in the DNS01 solver should be updated to use this new field.

From my experience, this parameter is able to be passed using the .edgerc file under "account_key", or in api calls as "accountSwitchKey".

Describe alternatives you've considered
We considered passing the "account switch key" as an environment variable to the cert-manager pod, but this is not a viable solution because the DNS01 solver gets its configuration from the Issuer or ClusterIssuer resource, not from environment variables in the pod.

Additional context
The "account switch key" is a feature of the Akamai Edge DNS API that allows clients to switch between different Akamai accounts. This is required in some Akamai setups.

Environment details (remove if not applicable):

• Kubernetes version: 1.27
• Cloud-provider/provisioner: Linode
• cert-manager version: v1.13.5
• Install method: e.g. Helm/ArgoCD

/kind feature

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[ThatsMrTalbot]

This seems like an improvement, we don't have an Akamai environment to test this against but would welcome contributions around this

/priority backlog
/remove-lifecycle rotten

[absynth76]

Should I make a suggestion here? Wouldn't it be better to create a kind of OutOfBoundDNS01Challenge ?
Principe would be to create a custom resource with the necessary for the challenge, specifications to be defined but something like:

specs:
  dns_name: <YOUR_DOMAIN>
  record: <associated_txt_record alias challenge>

cert-manager controller would validate/watch the resource with help of a status that can be followed - INITIALIZED - CREATED - TO_BE_PURGED - DELETED - ERROR (again to be defined)

and an external controller, that could filter based on the domain name or an optional annotation (or else), would be in charge of the CREATED, TO_BE_PURGED phased and to an extend: ERROR

for the statuses, a small definition could be:

• INITIALIZED: txt_record must be created
• CREATED: txt_record is ready and was handled by the DNS controller
• TO_BE_PURGED: txt_record can be deleted by the DNS controller
• DELETED: cert-manager controller can safely delete the resource
• ERROR: txt_record could not be created (external controller) OR wasn't created on time (cert-manager controller)

I think it would make sense, this way cert-manager would not have to take care of all implementations of DNS and their different API, it would be delegated to the relevant controller - even proprietary for example.

[ThatsMrTalbot]

Hi @absynth76 !

Should I make a suggestion here? Wouldn't it be better to create a kind of OutOfBoundDNS01Challenge ?
Principe would be to create a custom resource with the necessary for the challenge

cert-manager already has a plug-in mechanism for DNS providers using a webhook - https://cert-manager.io/docs/configuration/acme/dns01/webhook/

For example I have a POC DNS provider that uses ExternalDNS under the hook.

This idea sounds like a similar thing, but using CRDs instead of webhooks?

[absynth76]

Hi, thanks, sounds like it yes, it would have been easier in my opinion, knowing now cert-manager is creating Challenge CRs (which I did not hear about prior to post my "suggestion") that could have simply be hooked by a third party controller. The webhook achieve the same job I guess, I'll read more about, thank you again for the answer.