Domain for which certificate is asked for can have a CNAME, so we should check it.
If domain has a CNAME, create the challange TXT record in the alias domain.
This is useful in the scenario where a company like us is using some DNS provider
which is not supported dynamically. We can then create a CNAME for records like
_acme-challenge.example.com -> example.aws.hosted.com
So this will allow us getting cert for *.example.com with creating txt record in route53 for above exxample.
Improve logging in the case where the Service Account Secret is
loaded, but the Key is not found.
Previous behaviour was to fail without giving much help as to
why.
New behaviour confirms the key name and namespace/secret-name.
FIXES: 539
With async challenge Check, it is often happens,
that solver.Check() fails on first run after solver.Present()
Cert-manager then tries again, but starts with solver.Present(),
which not being idempotent right now fails on certain DNS providers.
This change swaps order of solver.Check() and solver.Present().
Check is not returning error if propagation not happened, it then
allows Present() to run.
In the current form, Present() will be spamming with errors,
but this doesn't stop Check from happening on every attempt,
so eventually Challenge can be verified and accepted. In the future,
Present() should be made idempotent.
This implements ambient credential support for AWS, gated behind flags
for issuers and cluster issuers.
This adds the pair of flags discussed in
https://github.com/jetstack/cert-manager/issues/308.
It provides an implementation for those flag's effects for the route53
solver.
The zone id is never read from the environment; this test tests
functionality which doesn't exist in the actual software, so there's no
point in having it.
This change maintains backwards compatibility, but makes the `accessKeyID` and `secretAccessKeySecretRef` fields of the `route53` DNS provider optional.
If not provided, AWS credentials will be loaded from `AWS_*` environment variables or the EC2 metadata service.
This should also work for things that impersonate the EC2 metadata service, such as [kube2iam](https://github.com/jtblin/kube2iam) and [kail](https://github.com/uswitch/kiam).
Signed-off-by: Matt Moyer <moyer@heptio.com>
