add support CNAME for dns-01 challenge

[gurvindersingh]

What this PR does / why we need it:
Domain for which certificate is asked for can have a CNAME, so we should check it.
If domain has a CNAME, create the challenge TXT record in the alias domain.

This is useful in the scenario where a company like us is using some DNS provider
which is not supported dynamically. We can then create a CNAME for records like

_acme-challenge.example.com -> example.aws.hosted.com

So this will allow us getting cert for *.example.com with creating a TXT record in route53 hosted zone for above example.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

Add support for delegating DNS-01 challenges using CNAME records.

[jetstack-bot]

Hi @gurvindersingh. Thanks for your PR.

I'm waiting for a cert-manager or jetstack member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[munnerz]

Thanks very much for this PR, there's been a few requests for this made in the past! 😄

/ok-to-test
/cc @lenartj

[gurvindersingh]

@munnerz any update on this PR

[munnerz]

/assign @kragniz

[kragniz]

Thanks @gurvindersingh! I've sucessfully run this using digitalocean, delegating to google clouddns for challenges. With the addition of #750, it's working fine.

/lgtm

[kragniz]

/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kragniz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kragniz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[munnerz]

Some comments that can be addressed in a follow up.

Thanks very much for the addition @gurvindersingh!

/cc @kragniz

[munnerz]

What if the err != nil due to some failure other than record does not exist?

[munnerz]

nit: it's -> its

[munnerz]

RecursiveNameservers does not respect the recently added --dns01-self-check-nameservers flag. We should plumb this into this point too imo.

[kragniz]

/retest

[sebastian-myrepublic]

Even with #750 it's still not working for me.

This seems to not entirely solved the issue?
We tried using v0.5.0 together with the CNAME setup for the _acme-challenge record.
We can see:

textPayload: "Updating FQDN: _acme-challenge.app.xxx.xxx.xxx with it's CNAME: app-acme.yyy.yyy.yyy"

textPayload: "Error preparing issuer for certificate prod/ingress-public-svcs-1-prod-lseprod-tls: dns-01 self check failed for domain "app.xxx.xxx.xxx""

So it's looking for the domain "app.xxx.xxx.xxx" instead of following the CNAME record pointing to app-acme.yyy.yyy.yyy
So the correct way would be to search in the zone yyy.yyy.yyy (hosted on CloudDNS) and then create a TXT record in there matching the CNAME app-acme.yyy.yyy.yyy

The current fix "zone, err := c.getHostedZone(fqdn)" does not seem to follow the configured CNAME, if the CNAME belongs to a different zone than the original requested FQDN.

Please help.

[kostyrev]

@gurvindersingh Could you please post your config's in order to obtain wildcard cert for *.example.com. I can't figure it out.
I've got dns zone example.com that I cannot update with cert-manager and example.cloud that I can.
Having read the thread I supposed that it is possible to obtain certificate for '*.example.com' and for this to work one need to

• create CNAME record in example.com like this
  _acme-challenge.example.com. 591 IN CNAME example.cloud.
• configure cert-manager to be able to update example.cloud zone
• set cnameStrategy

      providers:
        - name: route53-example-cloud
          cnameStrategy: "Follow"
          route53:
            region: us-east-1
            hostedZoneID: blabla

• and configure ingress like this

ingress:
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/acme-challenge-type: "dns01"
    certmanager.k8s.io/acme-dns01-provider: "route53-example-cloud"
  tls:
    - hosts:
      - '*.example.com'
      secretName: wildcard-example-com-tls
  rules:
    - host: echo.example.cloud

in cert-manager logs I get

cert-manager I0130 15:24:17.037900       1 wait.go:70] Updating FQDN: _acme-challenge.example.com. with it's CNAME: example.cloud.

nothing happens and that line does not look right to me.
it's quay.io/jetstack/cert-manager-controller:v0.6.0 of course