Implement the DNS-over-HTTPS check

[FlorianLiebhart]

Pull Request Motivation

If cert-manager is run inside a network from which it is not possible to do TXT DNS entry checks, e.g. because the network does not allow DNS lookups on port 53 or because it has a different DNS view on the same domain (aka DNS split horizon view), which is not an uncommon setup, changes made to public DNS provider wont be visible from the inside and the DNS solver propagation checks never succeed.

This change adds a new way to check for DNS propagation with
the help of DNS over HTTPS resolvers. In the current form it implements the DNS Wire format, as defined in RFC 8484.

The DNS check method to be used is controlled by making use of the --dns01-recursive-nameservers-only=true flag in order to specify to use the defined recursive name servers only, as well as the --dns01-recursive-nameservers flag, for which the implementation has been slightly extended to also take DoH endpoints, like the following:
--dns01-recursive-nameservers=https://8.8.8.8/dns-query.

Thanks @redbaron for your original idea and contribution regarding this feature, which I have built upon!
And thanks especially a lot to @maelvls and @inteon for your great great great help during this PR!! :)

Kind

feature

Release Note

DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification.
The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method.

[jetstack-bot]

Hi @FlorianLiebhart. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jakexks]

Thanks for reaching out in the dev slack. I'll enable the CI tests.

/ok-to-test

[FlorianLiebhart]

/retest-required

[FlorianLiebhart]

/retest-required

[FlorianLiebhart]

/retest-required

[FlorianLiebhart]

/retest-required

[FlorianLiebhart]

/retest-required

[FlorianLiebhart]

/retest-required

[jetstack-bot]

@FlorianLiebhart: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-master-e2e-v1-25	9c0c120	link	true	/test pull-cert-manager-master-e2e-v1-25

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[maelvls]

Great work. I'm totally OK with the fact that we don't have any tests that use BIND, I think the "live" unit tests that call out to https://1.1.1.1/dns-query are totally fine.

That said, I am worried that we haven't tested querying TXT and CNAME records, but I feel confident that testing A and CAA is enough.

/lgtm

[maelvls]

/unhold

[maelvls]

Next step: write the documentation! ✨🎉📖

[FlorianLiebhart]

@Galphaa @muffl0n @hvpareja and everyone else who was interested in these changes:
--> Great news! This PR is now merged!! :) 🥳 🎉

@maelvls also just created an alpha release, which can be used from now on! :)

Here it is: https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0-alpha.0

All the best, have fun, and thanks sooo much to @maelvls for your BIG contribution and for pushing this change forward and for your great documentation skills! Not possible without you!
and to @inteon For your great help and big contribution and improvements these past days!!
Very happy! :)

[hvpareja]

Thanks a lot for the great job @FlorianLiebhart !

[muffl0n]

Awesome! Thank you very much! This works like a charm! 😍
I'm getting some weird log messages, though:

I0621 07:14:12.406491       1 trigger_controller.go:194] "cert-manager/certificates-trigger: Certificate must be re-issued" key="default/doh" reason="DoesNotExist" message="Issuing certificate as Secret does not exist"
I0621 07:14:12.406504       1 conditions.go:203] Setting lastTransitionTime for Certificate "doh" condition "Ready" to 2023-06-21 07:14:12.406490562 +0000 UTC m=+122.321224672
I0621 07:14:12.406536       1 conditions.go:203] Setting lastTransitionTime for Certificate "doh" condition "Issuing" to 2023-06-21 07:14:12.406532541 +0000 UTC m=+122.321266651
I0621 07:14:12.435328       1 controller.go:162] "cert-manager/certificates-trigger: re-queuing item due to optimistic locking on resource" key="default/doh" error="Operation cannot be fulfilled on certificates.cert-manager.io \"doh\": the object has been modified; please apply your changes to the latest version and try again"
I0621 07:14:12.435402       1 trigger_controller.go:194] "cert-manager/certificates-trigger: Certificate must be re-issued" key="default/doh" reason="DoesNotExist" message="Issuing certificate as Secret does not exist"
I0621 07:14:12.435422       1 conditions.go:203] Setting lastTransitionTime for Certificate "doh" condition "Issuing" to 2023-06-21 07:14:12.435417111 +0000 UTC m=+122.350151218
I0621 07:14:12.906043       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "doh-rlg6s" condition "Approved" to 2023-06-21 07:14:12.906031105 +0000 UTC m=+122.820765217
I0621 07:14:12.931793       1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "doh-rlg6s" condition "Ready" to 2023-06-21 07:14:12.931780358 +0000 UTC m=+122.846514465
I0621 07:15:22.411445       1 acme.go:233] "cert-manager/certificaterequests-issuer-acme/sign: certificate issued" resource_name="doh-rlg6s" resource_namespace="default" resource_kind="CertificateRequest" resource_version="v1" related_resource_name="doh-rlg6s-879856528" related_resource_namespace="default" related_resource_kind="Order" related_resource_version="v1"
I0621 07:15:22.411566       1 conditions.go:252] Found status change for CertificateRequest "doh-rlg6s" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2023-06-21 07:15:22.411547187 +0000 UTC m=+192.326281285
I0621 07:15:22.461017       1 conditions.go:192] Found status change for Certificate "doh" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2023-06-21 07:15:22.461008161 +0000 UTC m=+192.375742255
I0621 07:15:22.477386       1 controller.go:162] "cert-manager/certificates-readiness: re-queuing item due to optimistic locking on resource" key="default/doh" error="Operation cannot be fulfilled on certificates.cert-manager.io \"doh\": the object has been modified; please apply your changes to the latest version and try again"
I0621 07:15:22.478231       1 conditions.go:192] Found status change for Certificate "doh" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2023-06-21 07:15:22.47822114 +0000 UTC m=+192.392955247
I0621 07:15:22.498381       1 controller.go:162] "cert-manager/certificates-key-manager: re-queuing item due to optimistic locking on resource" key="default/doh" error="Operation cannot be fulfilled on certificates.cert-manager.io \"doh\": the object has been modified; please apply your changes to the latest version and try again"
I0621 07:15:22.502347       1 controller.go:162] "cert-manager/certificates-issuing: re-queuing item due to optimistic locking on resource" key="default/doh" error="Operation cannot be fulfilled on certificates.cert-manager.io \"doh\": the object has been modified; please apply your changes to the latest version and try again"
E0621 07:15:22.894995       1 sync.go:73] "cert-manager/orders: failed to update status" resource_name="doh-rlg6s-879856528" resource_namespace="default" resource_kind="Order" resource_version="v1"
I0621 07:15:22.895037       1 controller.go:162] "cert-manager/orders: re-queuing item due to optimistic locking on resource" key="default/doh-rlg6s-879856528" error="Operation cannot be fulfilled on orders.acme.cert-manager.io \"doh-rlg6s-879856528\": the object has been modified; please apply your changes to the latest version and try again"
E0621 07:15:22.912612       1 controller.go:208] "cert-manager/challenges: challenge in work queue no longer exists" err="challenge.acme.cert-manager.io \"doh-rlg6s-879856528-2980398084\" not found"

For example, I cannot recall if I saw

"Operation cannot be fulfilled on certificates.cert-manager.io \"doh\": the object has been modified; please apply your changes to the latest version and try again"

before.

[inteon]

@muffl0n that warning is unrelated to this PR. We have an alpha feature gate that fixes these warnings: ServerSideApply.
Feel free to check it out: https://github.com/cert-manager/cert-manager/blob/2417132b3cd017b5f0974006e03c2b8a540efe3f/internal/controller/feature/features.go#LL53C1-L53C1

[muffl0n]

Thanks for the clarification! With ServerSideApply everything looks fine.

[FlorianLiebhart]

@muffl0n! Very happy it works for you, thanks for the positive feedback! :)
So your certificates get issued and stored in secrets, as it seems.

As @inteon already said, the error message you see does not have anything to do with the changes made in my PR, as the part that was changed was not very invasive.

Also, the error message you see is actually on info level and is something that seems to have been around already for a few years.
After googling for it, I see it mentioned in two old Github issues already:

• Operation cannot be fulfilled on certificates.cert-manager.io the object has been modified #3501
• '..error"="Operation cannot be fulfilled...object has been modified..' lines in the logs #3667

And seems to have (not?) been resolved in this PR: #3794
As mentioned in the release notes of Cert-Manager here: https://cert-manager.io/docs/release-notes/release-notes-1.4/
(on that page, search for "optimistic locking" to find it).

Luckily, @inteon had the solution for you already. Great!:)