Changed SecretAccessKeyID member to pointer as it is optional and tagged omitempty. Added issuer tests for access key ID secret validation. Added issuer API validations for AccessKeyID/SecretAccessKeyID.

Signed-off-by: Compy <hello@86pixels.com>

internal/apis/acme/types_issuer.go

@@ -403,9 +403,9 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	AccessKeyID string
 
-	// If set, pull the AWS access key ID from a key within a kubernetes secret. More info: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	SecretAccessKeyID cmmeta.SecretKeySelector
+	// If set, pull the AWS access key ID from a key within a kubernetes secret.
+	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+	SecretAccessKeyID *cmmeta.SecretKeySelector
 
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

internal/apis/acme/v1/zz_generated.conversion.go

@@ -1205,8 +1205,14 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRF
 
 func autoConvert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *v1.ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(meta.SecretKeySelector)
+		if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err
@@ -1224,8 +1230,14 @@ func Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRo
 
 func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *v1.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(apismetav1.SecretKeySelector)
+		if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err

internal/apis/acme/v1alpha2/types_issuer.go

@@ -460,7 +460,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 	// If set, pull the AWS access key ID from a key within a kubernetes secret.
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
-	SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	SecretAccessKeyID *cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

internal/apis/acme/v1alpha2/zz_generated.conversion.go

@@ -1204,8 +1204,14 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1alpha2_ACMEIssuerDNS01Prov
 
 func autoConvert_v1alpha2_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(meta.SecretKeySelector)
+		if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err
@@ -1223,8 +1229,14 @@ func Convert_v1alpha2_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Prov
 
 func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1alpha2_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(apismetav1.SecretKeySelector)
+		if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err

internal/apis/acme/v1alpha2/zz_generated.deepcopy.go

@@ -124,7 +124,7 @@ func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)
 	if in.Route53 != nil {
 		in, out := &in.Route53, &out.Route53
 		*out = new(ACMEIssuerDNS01ProviderRoute53)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AzureDNS != nil {
 		in, out := &in.AzureDNS, &out.AzureDNS
@@ -573,7 +573,11 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
 	*out = *in
-	out.SecretAccessKeyID = in.SecretAccessKeyID
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
 	out.SecretAccessKey = in.SecretAccessKey
 	return
 }

internal/apis/acme/v1alpha3/types_issuer.go

@@ -460,7 +460,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 	// If set, pull the AWS access key ID from a key within a kubernetes secret.
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
-	SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	SecretAccessKeyID *cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

internal/apis/acme/v1alpha3/zz_generated.conversion.go

@@ -1204,8 +1204,14 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1alpha3_ACMEIssuerDNS01Prov
 
 func autoConvert_v1alpha3_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(meta.SecretKeySelector)
+		if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err
@@ -1223,8 +1229,14 @@ func Convert_v1alpha3_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Prov
 
 func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1alpha3_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(apismetav1.SecretKeySelector)
+		if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err

internal/apis/acme/v1alpha3/zz_generated.deepcopy.go

@@ -124,7 +124,7 @@ func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)
 	if in.Route53 != nil {
 		in, out := &in.Route53, &out.Route53
 		*out = new(ACMEIssuerDNS01ProviderRoute53)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AzureDNS != nil {
 		in, out := &in.AzureDNS, &out.AzureDNS
@@ -573,7 +573,11 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
 	*out = *in
-	out.SecretAccessKeyID = in.SecretAccessKeyID
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
 	out.SecretAccessKey = in.SecretAccessKey
 	return
 }

internal/apis/acme/v1beta1/types_issuer.go

@@ -459,7 +459,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 	// If set, pull the AWS access key ID from a key within a kubernetes secret.
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
-	SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	SecretAccessKeyID *cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

internal/apis/acme/v1beta1/zz_generated.conversion.go

@@ -1204,8 +1204,14 @@ func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1beta1_ACMEIssuerDNS01Provi
 
 func autoConvert_v1beta1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(meta.SecretKeySelector)
+		if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err
@@ -1223,8 +1229,14 @@ func Convert_v1beta1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01Provi
 
 func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1beta1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
 	out.AccessKeyID = in.AccessKeyID
-	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKeyID, &out.SecretAccessKeyID, s); err != nil {
-		return err
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(apismetav1.SecretKeySelector)
+		if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.SecretAccessKeyID = nil
 	}
 	if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
 		return err

internal/apis/acme/v1beta1/zz_generated.deepcopy.go

@@ -124,7 +124,7 @@ func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)
 	if in.Route53 != nil {
 		in, out := &in.Route53, &out.Route53
 		*out = new(ACMEIssuerDNS01ProviderRoute53)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AzureDNS != nil {
 		in, out := &in.AzureDNS, &out.AzureDNS
@@ -573,7 +573,11 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
 	*out = *in
-	out.SecretAccessKeyID = in.SecretAccessKeyID
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
 	out.SecretAccessKey = in.SecretAccessKey
 	return
 }

internal/apis/acme/zz_generated.deepcopy.go

@@ -124,7 +124,7 @@ func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)
 	if in.Route53 != nil {
 		in, out := &in.Route53, &out.Route53
 		*out = new(ACMEIssuerDNS01ProviderRoute53)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AzureDNS != nil {
 		in, out := &in.AzureDNS, &out.AzureDNS
@@ -573,7 +573,11 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
 	*out = *in
-	out.SecretAccessKeyID = in.SecretAccessKeyID
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(meta.SecretKeySelector)
+		**out = **in
+	}
 	out.SecretAccessKey = in.SecretAccessKey
 	return
 }

internal/apis/certmanager/validation/issuer.go

@@ -404,6 +404,17 @@ func ValidateACMEChallengeSolverDNS01(p *cmacme.ACMEChallengeSolverDNS01, fldPat
 			if len(p.Route53.Region) == 0 {
 				el = append(el, field.Required(fldPath.Child("route53", "region"), ""))
 			}
+			// accessKeyID or accessKeyIDSecretRef must be specified, but not both
+			if len(p.Route53.AccessKeyID) == 0 && p.Route53.SecretAccessKeyID == nil {
+				el = append(el, field.Required(fldPath.Child("route53"), "accessKeyID or accessKeyIDSecretRef is required"))
+			}
+			if len(p.Route53.AccessKeyID) > 0 && p.Route53.SecretAccessKeyID != nil {
+				el = append(el, field.Required(fldPath.Child("route53"), "accessKeyID and accessKeyIDSecretRef cannot both be specified"))
+			}
+			// if an accessKeyIDSecretRef is given, validate that it resolves to an actual secret
+			if p.Route53.SecretAccessKeyID != nil {
+				el = append(el, ValidateSecretKeySelector(p.Route53.SecretAccessKeyID, fldPath.Child("route53", "accessKeyIDSecretRef"))...)
+			}
 		}
 	}
 	if p.AcmeDNS != nil {

internal/apis/certmanager/validation/issuer_test.go

@@ -711,6 +711,29 @@ func TestValidateACMEIssuerDNS01Config(t *testing.T) {
 			},
 			errs: []*field.Error{
 				field.Required(fldPath.Child("route53", "region"), ""),
+				field.Required(fldPath.Child("route53"), "accessKeyID or accessKeyIDSecretRef is required"),
+			},
+		},
+		"missing route53 accessKeyID and accessKeyIDSecretRef": {
+			cfg: &cmacme.ACMEChallengeSolverDNS01{
+				Route53: &cmacme.ACMEIssuerDNS01ProviderRoute53{
+					Region: "valid",
+				},
+			},
+			errs: []*field.Error{
+				field.Required(fldPath.Child("route53"), "accessKeyID or accessKeyIDSecretRef is required"),
+			},
+		},
+		"both route53 accessKeyID and accessKeyIDSecretRef specified": {
+			cfg: &cmacme.ACMEChallengeSolverDNS01{
+				Route53: &cmacme.ACMEIssuerDNS01ProviderRoute53{
+					Region:            "valid",
+					AccessKeyID:       "valid",
+					SecretAccessKeyID: &validSecretKeyRef,
+				},
+			},
+			errs: []*field.Error{
+				field.Required(fldPath.Child("route53"), "accessKeyID and accessKeyIDSecretRef cannot both be specified"),
 			},
 		},
 		"missing provider config": {

pkg/apis/acme/v1/types_issuer.go

@@ -463,7 +463,7 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 	// If set, pull the AWS access key ID from a key within a kubernetes secret.
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
-	SecretAccessKeyID cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	SecretAccessKeyID *cmmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

pkg/apis/acme/v1/zz_generated.deepcopy.go

@@ -124,7 +124,7 @@ func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)
 	if in.Route53 != nil {
 		in, out := &in.Route53, &out.Route53
 		*out = new(ACMEIssuerDNS01ProviderRoute53)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AzureDNS != nil {
 		in, out := &in.AzureDNS, &out.AzureDNS
@@ -573,7 +573,11 @@ func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
 	*out = *in
-	out.SecretAccessKeyID = in.SecretAccessKeyID
+	if in.SecretAccessKeyID != nil {
+		in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
+		*out = new(metav1.SecretKeySelector)
+		**out = **in
+	}
 	out.SecretAccessKey = in.SecretAccessKey
 	return
 }

pkg/issuer/acme/dns/dns.go

@@ -299,6 +299,16 @@ func (s *Solver) solverForChallenge(ctx context.Context, issuer v1.GenericIssuer
 			return nil, nil, fmt.Errorf("route53 accessKeyID and accessKeyIDSecretRef cannot both be specified")
 		}
 
+		// If a SecretAccessKeyID name is given, make sure we have a key specified as well
+		if providerConfig.Route53.SecretAccessKeyID.Name != "" && providerConfig.Route53.SecretAccessKeyID.Key == "" {
+			return nil, nil, fmt.Errorf("route53 accessKeyIDSecretRef requires a key field to be specified")
+		}
+
+		// If a SecretAccessKeyID key is given, make sure there is a name specified as well
+		if providerConfig.Route53.SecretAccessKeyID.Key != "" && providerConfig.Route53.SecretAccessKeyID.Name == "" {
+			return nil, nil, fmt.Errorf("route53 accessKeyIDSecretRef requires a name field to be specified")
+		}
+
 		// Default to the AccessKeyID literal in the configuration
 		secretAccessKeyID := strings.TrimSpace(providerConfig.Route53.AccessKeyID)