Skip to content

docs: add ACK RRSA supported AliDNS webhook#1909

Open
crazygit wants to merge 4 commits intocert-manager:masterfrom
crazygit:master
Open

docs: add ACK RRSA supported AliDNS webhook#1909
crazygit wants to merge 4 commits intocert-manager:masterfrom
crazygit:master

Conversation

@crazygit
Copy link

@crazygit crazygit commented Jan 8, 2026

Description

This PR adds a link to a community-maintained Alibaba Cloud DNS (AliDNS) webhook solver to the documentation.

Details

I have developed a custom webhook for AliDNS based on the cert-manager/webhook-example.
It allows users to solve ACME DNS01 challenges using Alibaba Cloud DNS with ACK RRSA feature.

  • Repository: crazygit/cert-manager-alidns-webhook
  • Testing: I have implemented both unit tests and integration tests to verify the solver functionality. All tests passed successfully. I also have verified the webhook functionality in ACK cluster.

@cert-manager-prow cert-manager-prow bot added the dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. label Jan 8, 2026
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Jan 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jakexks for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 8, 2026
@netlify
Copy link

netlify bot commented Jan 8, 2026
edited
Loading

Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 30b2a5f
🔍 Latest deploy log https://app.netlify.com/projects/cert-manager/deploys/6976b292115111000837312a
😎 Deploy Preview https://deploy-preview-1909--cert-manager.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@crazygit
docs: add ACK RRSA supported AliDNS webhook
40863c1 
Signed-off-by: Crazygit <lianglin999@gmail.com>
@cert-manager-prow cert-manager-prow bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Jan 8, 2026
@crazygit
Copy link
Author

crazygit commented Jan 24, 2026

@hawksight @erikgb Could you please review this PR? If it looks good, a /lgtm would be appreciated. Thanks!

erikgb
erikgb reviewed Jan 25, 2026
View reviewed changes
content/docs/configuration/acme/dns01/README.md
- [`AliDNS-Webhook`](https://github.com/pragkent/alidns-webhook)
- [`bizflycloud-certmanager-dns-webhook`](https://github.com/bizflycloud/bizflycloud-certmanager-dns-webhook)
- [`cert-manager-alidns-webhook`](https://github.com/DEVmachine-fr/cert-manager-alidns-webhook)
- [`cert-manager-alidns-webhook`](https://github.com/crazygit/cert-manager-alidns-webhook)(Suport ACK RRSA)
Copy link
Member

@erikgb erikgb Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit odd. I am no expert on AliDNS, but why didn't you contribute "ACK RRSA" to the AliDNS webhook linked in the line above?

Copy link
Author

@crazygit crazygit Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@erikgb Thanks for the question — I agree it’s important to avoid unnecessary duplication.

  • What’s different here: this repo is designed around ACK RRSA / OIDC and the Alibaba Cloud SDK default credential chain, so authentication happens on the webhook side without putting AK/SK into Issuer secrets. The existing AliDNS webhook is AK/SK‑based, configured via Issuer secrets, so the auth model is quite different.

  • Why I didn’t submit to the other repo: adding RRSA support there would likely be more than a small patch — it would involve changes to the auth flow, config schema, and docs, and I wanted to avoid disrupting existing AK/SK users. I also wanted to keep the RRSA‑first approach focused and clear, since it targets newer cert-manager versions and the ACK RRSA identity scenario specifically.

Thanks for considering this and for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikgb erikgb erikgb left review comments

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crazygit @erikgb