From 4106038fe932331e34353c4c56ad15fe6cd97dbc Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 18 Jun 2025 02:30:58 +0000
Subject: [PATCH] cert-manager: Use recursive resolver for checks

I've completely blocked all outgoing unencrypted DNS traffic at the
firewall now, which prevents _cert-manager_ from using its default
behavior of using the authoritative name servers for its managed domains
to check poll for ACME challenge DNS TXT record availability.
Fortunately, it has an option to use a recursive resolver (i.e. the
network-provided DNS server) instead.
---
 cert-manager/kustomization.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index 5db8b09..342aada 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -52,3 +52,13 @@ patches:
             nameservers:
             - 172.30.0.1
           dnsPolicy: None
+- patch: |
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --dns01-recursive-nameservers-only
+  target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cert-manager