docs: add ACK RRSA supported AliDNS webhook#1909
Conversation
cert-manager-prow
Bot
added
dco-signoff: no
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: Crazygit <lianglin999@gmail.com>
cert-manager-prow
Bot
added
dco-signoff: yes
|
@hawksight @erikgb Could you please review this PR? If it looks good, a /lgtm would be appreciated. Thanks! |
| - [`AliDNS-Webhook`](https://github.com/pragkent/alidns-webhook) | ||
| - [`bizflycloud-certmanager-dns-webhook`](https://github.com/bizflycloud/bizflycloud-certmanager-dns-webhook) | ||
| - [`cert-manager-alidns-webhook`](https://github.com/DEVmachine-fr/cert-manager-alidns-webhook) | ||
| - [`cert-manager-alidns-webhook`](https://github.com/crazygit/cert-manager-alidns-webhook)(Suport ACK RRSA) |
There was a problem hiding this comment.
This looks a bit odd. I am no expert on AliDNS, but why didn't you contribute "ACK RRSA" to the AliDNS webhook linked in the line above?
There was a problem hiding this comment.
@erikgb Thanks for the question — I agree it’s important to avoid unnecessary duplication.
-
What’s different here: this repo is designed around ACK RRSA / OIDC and the Alibaba Cloud SDK default credential chain, so authentication happens on the webhook side without putting AK/SK into Issuer secrets. The existing AliDNS webhook is AK/SK‑based, configured via Issuer secrets, so the auth model is quite different.
-
Why I didn’t submit to the other repo: adding RRSA support there would likely be more than a small patch — it would involve changes to the auth flow, config schema, and docs, and I wanted to avoid disrupting existing AK/SK users. I also wanted to keep the RRSA‑first approach focused and clear, since it targets newer cert-manager versions and the ACK RRSA identity scenario specifically.
Thanks for considering this and for the review.
wallrj-cyberark
left a comment
wallrj-cyberark
left a comment
There was a problem hiding this comment.
Thank you for contributing this, and I can see that RRSA/OIDC support for AliDNS is a genuine gap worth filling. However, I agree with @erikgb's earlier comment: before we list a third AliDNS webhook, we should explore contributing this feature to an existing one.
There are already two AliDNS webhooks listed:
| pragkent/alidns-webhook | DEVmachine-fr/cert-manager-alidns-webhook | |
|---|---|---|
| Stars | 209 | 158 |
| Last commit | January 2022 | March 2025 |
| Latest release | None | v0.8.3 (March 2025) |
| Licence | None | Apache-2.0 |
| Accepts PRs | Effectively abandoned — no review activity | Yes — 6 community PRs merged in the past year |
The DEVmachine-fr webhook is actively maintained and already has two open PRs adding the same RRSA/OIDC credential chain support you built:
- DEVmachine-fr#29 by @JacksonTian (open since July 2024) — upgrades the Alibaba SDK to use the default credential chain, which enables OIDC/RRSA
- DEVmachine-fr#37 by @onelapahead (September 2025) — builds on #29 with fixes, logging, and worker role support
Those PRs demonstrate that adding RRSA support to the DEVmachine-fr webhook is a tractable contribution, not a fundamental rewrite. The maintainer (@olivierboudet) has been responsive to contributions.
I would suggest:
- Review DEVmachine-fr PRs #29 and #37 — your experience with RRSA could help move them forward
- Contribute directly to the DEVmachine-fr webhook, either by helping land #29/#37 or by opening your own PR there
- If the maintainer is unresponsive or the contribution is rejected, we can revisit listing your webhook separately
Listing a third AliDNS webhook — especially one with only 11 stars, a single contributor, and the same name (cert-manager-alidns-webhook) as an existing entry — would be confusing for users and fragment the community's maintenance effort.
| - [`AliDNS-Webhook`](https://github.com/pragkent/alidns-webhook) | ||
| - [`bizflycloud-certmanager-dns-webhook`](https://github.com/bizflycloud/bizflycloud-certmanager-dns-webhook) | ||
| - [`cert-manager-alidns-webhook`](https://github.com/DEVmachine-fr/cert-manager-alidns-webhook) | ||
| - [`cert-manager-alidns-webhook`](https://github.com/crazygit/cert-manager-alidns-webhook)(Suport ACK RRSA) |
There was a problem hiding this comment.
This would create two identically named entries (cert-manager-alidns-webhook) in the list, which would be confusing for users.
More importantly, the feature you built (RRSA/default credential chain support) is already the subject of open PRs on the DEVmachine-fr webhook: #29 and #37. Contributing there would benefit the 158+ users already using that webhook, rather than asking them to migrate to a new project.
Also a minor point: "Suport" is a typo for "Support".
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
3 participants
Description
This PR adds a link to a community-maintained Alibaba Cloud DNS (AliDNS) webhook solver to the documentation.
Details
I have developed a custom webhook for AliDNS based on the cert-manager/webhook-example.
It allows users to solve ACME DNS01 challenges using Alibaba Cloud DNS with ACK RRSA feature.