From 6ba4ef21b171802baa09d4be92cd47f18ade5e04 Mon Sep 17 00:00:00 2001 From: Michael Tsang Date: Thu, 13 Jun 2019 15:28:23 +0100 Subject: [PATCH] Document cnameStrategy Signed-off-by: Michael Tsang --- docs/tasks/issuers/setup-acme/dns01/index.rst | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/tasks/issuers/setup-acme/dns01/index.rst b/docs/tasks/issuers/setup-acme/dns01/index.rst index 1a2755052..a4c91049a 100644 --- a/docs/tasks/issuers/setup-acme/dns01/index.rst +++ b/docs/tasks/issuers/setup-acme/dns01/index.rst @@ -64,6 +64,41 @@ Example usage:: .. _supported-dns01-providers: +Delegated Domains for DNS01 +=========================== + +By default, cert-manager will not follow CNAME records pointing to subdomains. + +If granting cert-manager access to the root DNS zone is not desired, then the +_acme-challenge.example.com subdomain can instead be delegated to some other, +less privileged domain. +Once a CNAME record has been configured to point at the desired domain, and the +DNS configuration/credentials for the zone that *should be updated* have been +provided, all that is left to be done is adding an additional field into the +relevant `dns01` solver: + +.. code-block:: yaml + :linenos: + :emphasize-lines: 11 + + apiVersion: certmanager.k8s.io/v1alpha1 + kind: Issuer + metadata: + ... + spec: + acme: + ... + solvers: + - dns01: + # Valid values are None and Follow + cnameStrategy: Follow + clouddns: + ... + +cert-manager will then follow CNAME records recursively in order to determine +which DNS zone to update during DNS01 challenges. + + ************************* Supported DNS01 providers *************************