Add TLS-SNI and TLS-ALPN challenge types

Signed-off-by: James Munnelly <james@munnelly.eu>

deploy/crds/crd-challenges.yaml

@@ -1470,6 +1470,9 @@ spec:
                 enum:
                 - http-01
                 - dns-01
+                - tls-alpn-01
+                - tls-sni-01
+                - tls-sni-02
               url:
                 description: URL is the URL of the ACME Challenge resource for this
                   challenge. This can be used to lookup details about the status of
@@ -2934,6 +2937,9 @@ spec:
                 enum:
                 - http-01
                 - dns-01
+                - tls-alpn-01
+                - tls-sni-01
+                - tls-sni-02
               url:
                 description: URL is the URL of the ACME Challenge resource for this
                   challenge. This can be used to lookup details about the status of
@@ -4399,6 +4405,9 @@ spec:
                 enum:
                 - HTTP-01
                 - DNS-01
+                - TLS-ALPN-01
+                - TLS-SNI-01
+                - TLS-SNI-02
               url:
                 description: The URL of the ACME Challenge resource for this challenge.
                   This can be used to lookup details about the status of this challenge.

deploy/crds/crd-orders.yaml

@@ -161,6 +161,9 @@ spec:
                             enum:
                             - http-01
                             - dns-01
+                            - tls-alpn-01
+                            - tls-sni-01
+                            - tls-sni-02
                           url:
                             description: URL is the URL of this challenge. It can
                               be used to retrieve additional metadata about the Challenge
@@ -348,6 +351,9 @@ spec:
                             enum:
                             - http-01
                             - dns-01
+                            - tls-alpn-01
+                            - tls-sni-01
+                            - tls-sni-02
                           url:
                             description: URL is the URL of this challenge. It can
                               be used to retrieve additional metadata about the Challenge
@@ -536,6 +542,9 @@ spec:
                             enum:
                             - HTTP-01
                             - DNS-01
+                            - TLS-ALPN-01
+                            - TLS-SNI-01
+                            - TLS-SNI-02
                           url:
                             description: URL is the URL of this challenge. It can
                               be used to retrieve additional metadata about the Challenge

pkg/apis/acme/v1alpha2/types_order.go

@@ -168,15 +168,31 @@ type ACMEChallenge struct {
 }
 
 // ACMEChallengeType denotes a type of ACME challenge
-// +kubebuilder:validation:Enum=http-01;dns-01
+// +kubebuilder:validation:Enum=http-01;dns-01;tls-alpn-01;tls-sni-01;tls-sni-02
 type ACMEChallengeType string
 
 const (
 	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
 	ACMEChallengeTypeHTTP01 ACMEChallengeType = "http-01"
 
 	// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 	ACMEChallengeTypeDNS01 ACMEChallengeType = "dns-01"
+
+	// ACMEChallengeTypeTLSALPN01 denotes a Challenge is of type tls-alpn-01.
+	// More info: https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
+	ACMEChallengeTypeTLSALPN01 ACMEChallengeType = "tls-alpn-01"
+
+	// ACMEChallengeTypeTLSSNI01 denotes a Challenge is of type tls-sni-01.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI01 ACMEChallengeType = "tls-sni-01"
+
+	// ACMEChallengeTypeTLSSNI02 denotes a Challenge is of type tls-sni-02.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI02 ACMEChallengeType = "tls-sni-02"
 )
 
 // State represents the state of an ACME resource, such as an Order.

pkg/apis/acme/v1alpha3/types_order.go

@@ -168,15 +168,31 @@ type ACMEChallenge struct {
 }
 
 // ACMEChallengeType denotes a type of ACME challenge
-// +kubebuilder:validation:Enum=http-01;dns-01
+// +kubebuilder:validation:Enum=http-01;dns-01;tls-alpn-01;tls-sni-01;tls-sni-02
 type ACMEChallengeType string
 
 const (
 	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
 	ACMEChallengeTypeHTTP01 ACMEChallengeType = "http-01"
 
 	// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 	ACMEChallengeTypeDNS01 ACMEChallengeType = "dns-01"
+
+	// ACMEChallengeTypeTLSALPN01 denotes a Challenge is of type tls-alpn-01.
+	// More info: https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
+	ACMEChallengeTypeTLSALPN01 ACMEChallengeType = "tls-alpn-01"
+
+	// ACMEChallengeTypeTLSSNI01 denotes a Challenge is of type tls-sni-01.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI01 ACMEChallengeType = "tls-sni-01"
+
+	// ACMEChallengeTypeTLSSNI02 denotes a Challenge is of type tls-sni-02.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI02 ACMEChallengeType = "tls-sni-02"
 )
 
 // State represents the state of an ACME resource, such as an Order.

pkg/apis/acme/v1beta1/types_order.go

@@ -169,15 +169,31 @@ type ACMEChallenge struct {
 }
 
 // ACMEChallengeType denotes a type of ACME challenge
-// +kubebuilder:validation:Enum=HTTP-01;DNS-01
+// +kubebuilder:validation:Enum=HTTP-01;DNS-01;TLS-ALPN-01;TLS-SNI-01;TLS-SNI-02
 type ACMEChallengeType string
 
 const (
-	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type HTTP-01
+	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
 	ACMEChallengeTypeHTTP01 ACMEChallengeType = "HTTP-01"
 
-	// ACMEChallengeTypeDNS01 denotes a Challenge is of type DNS-01
+	// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 	ACMEChallengeTypeDNS01 ACMEChallengeType = "DNS-01"
+
+	// ACMEChallengeTypeTLSALPN01 denotes a Challenge is of type tls-alpn-01.
+	// More info: https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
+	ACMEChallengeTypeTLSALPN01 ACMEChallengeType = "TLS-ALPN-01"
+
+	// ACMEChallengeTypeTLSSNI01 denotes a Challenge is of type tls-sni-01.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI01 ACMEChallengeType = "TLS-SNI-01"
+
+	// ACMEChallengeTypeTLSSNI02 denotes a Challenge is of type tls-sni-02.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI02 ACMEChallengeType = "TLS-SNI-02"
 )
 
 // State represents the state of an ACME resource, such as an Order.

pkg/internal/apis/acme/types_order.go

@@ -157,11 +157,27 @@ type ACMEChallenge struct {
 type ACMEChallengeType string
 
 const (
-	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type HTTP-01
+	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
 	ACMEChallengeTypeHTTP01 ACMEChallengeType = "HTTP-01"
 
-	// ACMEChallengeTypeDNS01 denotes a Challenge is of type DNS-01
+	// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
+	// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 	ACMEChallengeTypeDNS01 ACMEChallengeType = "DNS-01"
+
+	// ACMEChallengeTypeTLSALPN01 denotes a Challenge is of type tls-alpn-01.
+	// More info: https://letsencrypt.org/docs/challenge-types/#tls-alpn-01
+	ACMEChallengeTypeTLSALPN01 ACMEChallengeType = "TLS-ALPN-01"
+
+	// ACMEChallengeTypeTLSSNI01 denotes a Challenge is of type tls-sni-01.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI01 ACMEChallengeType = "TLS-SNI-01"
+
+	// ACMEChallengeTypeTLSSNI02 denotes a Challenge is of type tls-sni-02.
+	// This challenge type is not currently available but is reserved as per
+	// RFC8555: https://tools.ietf.org/html/rfc8555#section-9.7.8
+	ACMEChallengeTypeTLSSNI02 ACMEChallengeType = "TLS-SNI-02"
 )
 
 // State represents the state of an ACME resource, such as an Order.

pkg/internal/apis/acme/v1alpha2/conversion.go

@@ -35,6 +35,12 @@ func Convert_v1alpha2_ChallengeSpec_To_acme_ChallengeSpec(in *v1alpha2.Challenge
 		out.Type = acme.ACMEChallengeTypeHTTP01
 	case v1alpha2.ACMEChallengeTypeDNS01:
 		out.Type = acme.ACMEChallengeTypeDNS01
+	case v1alpha2.ACMEChallengeTypeTLSALPN01:
+		out.Type = acme.ACMEChallengeTypeTLSALPN01
+	case v1alpha2.ACMEChallengeTypeTLSSNI01:
+		out.Type = acme.ACMEChallengeTypeTLSSNI01
+	case v1alpha2.ACMEChallengeTypeTLSSNI02:
+		out.Type = acme.ACMEChallengeTypeTLSSNI02
 	default:
 		// this case should never be hit due to validation
 		out.Type = acme.ACMEChallengeType(in.Type)
@@ -55,6 +61,12 @@ func Convert_acme_ChallengeSpec_To_v1alpha2_ChallengeSpec(in *acme.ChallengeSpec
 		out.Type = v1alpha2.ACMEChallengeTypeHTTP01
 	case acme.ACMEChallengeTypeDNS01:
 		out.Type = v1alpha2.ACMEChallengeTypeDNS01
+	case acme.ACMEChallengeTypeTLSALPN01:
+		out.Type = v1alpha2.ACMEChallengeTypeTLSALPN01
+	case acme.ACMEChallengeTypeTLSSNI01:
+		out.Type = v1alpha2.ACMEChallengeTypeTLSSNI01
+	case acme.ACMEChallengeTypeTLSSNI02:
+		out.Type = v1alpha2.ACMEChallengeTypeTLSSNI02
 	default:
 		// this case should never be hit due to validation
 		out.Type = v1alpha2.ACMEChallengeType(in.Type)

pkg/internal/apis/acme/v1alpha3/conversion.go

@@ -35,6 +35,12 @@ func Convert_v1alpha3_ChallengeSpec_To_acme_ChallengeSpec(in *v1alpha3.Challenge
 		out.Type = acme.ACMEChallengeTypeHTTP01
 	case v1alpha3.ACMEChallengeTypeDNS01:
 		out.Type = acme.ACMEChallengeTypeDNS01
+	case v1alpha3.ACMEChallengeTypeTLSALPN01:
+		out.Type = acme.ACMEChallengeTypeTLSALPN01
+	case v1alpha3.ACMEChallengeTypeTLSSNI01:
+		out.Type = acme.ACMEChallengeTypeTLSSNI01
+	case v1alpha3.ACMEChallengeTypeTLSSNI02:
+		out.Type = acme.ACMEChallengeTypeTLSSNI02
 	default:
 		// this case should never be hit due to validation
 		out.Type = acme.ACMEChallengeType(in.Type)
@@ -55,6 +61,12 @@ func Convert_acme_ChallengeSpec_To_v1alpha3_ChallengeSpec(in *acme.ChallengeSpec
 		out.Type = v1alpha3.ACMEChallengeTypeHTTP01
 	case acme.ACMEChallengeTypeDNS01:
 		out.Type = v1alpha3.ACMEChallengeTypeDNS01
+	case acme.ACMEChallengeTypeTLSALPN01:
+		out.Type = v1alpha3.ACMEChallengeTypeTLSALPN01
+	case acme.ACMEChallengeTypeTLSSNI01:
+		out.Type = v1alpha3.ACMEChallengeTypeTLSSNI01
+	case acme.ACMEChallengeTypeTLSSNI02:
+		out.Type = v1alpha3.ACMEChallengeTypeTLSSNI02
 	default:
 		// this case should never be hit due to validation
 		out.Type = v1alpha3.ACMEChallengeType(in.Type)