feat: Support ACME DNS01 recursive nameservers config

ThomasVitale · ThomasVitale · commit 20125b9e5802 · 2025-05-30T21:17:23.000+02:00
diff --git a/README.md b/README.md
@@ -115,6 +115,8 @@ Settings for the cert-manager controller.
 |--------|---------|-------------|
 | `controller.loglevel` | `2` | Number of the log level verbosity. |
 | `controller.replicas` | `1` | The number of replicas. In order to enable high availability, 2 replicas are recommended. |
+| `controller.dns01.recursive_nameservers` | `[]` | Each nameserver can be either the IP address and port of a standard recursive DNS server, or the endpoint to an RFC 8484 DNS over HTTPS endpoint. |
+| `controller.dns01.recursive_nameservers_only` | `false` | When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. |
 
 Settings for the cert-manager cainjector.
 
diff --git a/package/config/overlays/config-controller.yml b/package/config/overlays/config-controller.yml
@@ -20,6 +20,10 @@ logging:
 
 acmeHTTP01Config:
   solverImage: quay.io/jetstack/cert-manager-acmesolver:v1.17.2
+
+acmeDNS01Config:
+  recursiveNameservers: #@ data.values.controller.dns01.recursive_nameservers
+  recursiveNameserversOnly: #@ data.values.controller.dns01.recursive_nameservers_only
 #@ end
 
 ---
diff --git a/package/config/values-schema.yml b/package/config/values-schema.yml
@@ -27,6 +27,13 @@ controller:
   #@schema/desc "The number of replicas. In order to enable high availability, 2 replicas are recommended."
   #@schema/validation min=1
   replicas: 1
+  #@schema/desc "Configures the behaviour of the ACME DNS01 challenge solver."
+  dns01:
+    #@schema/desc "Each nameserver can be either the IP address and port of a standard recursive DNS server, or the endpoint to an RFC 8484 DNS over HTTPS endpoint."
+    recursive_nameservers:
+      - ""
+    #@schema/desc "When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers."
+    recursive_nameservers_only: false
 
 #@schema/desc "Settings for the cainjector controller."
 cainjector:
