I'm just looking for a bit of clarity on how the dns delegation works with acme/dns-01.
I've had a look at some other threads and couldn't really find a clear answer.
Currently I have cert-manager running inside a k8s cluster using letsencrypt.
I have it using dns-01 via route53 to an isolated subdomain so credentials are restricted.
I want users to be able to self service certificates easily for our domain.
In the main example.com zone I have the _acme-challenge cname.
_acme-challenge.example.com CNAME _acme-challenge.certs.example.com
Where I am getting a bit lost is this allows me to only generate the exact domain name "example.com" or a wildcard "*.example.com"
For any other domain name i require additional aliases?
_acme-challenge.myapp.example.com CNAME _acme-challenge.certs.example.com
_acme-challenge.webapp2.example.com CNAME _acme-challenge.certs.example.com
So if I want to allow my users to generate certs easily for any app they make in k8s, they would either have to use a wildcard or we would have to make a CNAME every time they need a new domain name for an application?
Is there a way to simply delegate all requests for a domain to a subdomain without needing a CNAME for every single required fqdn?
Or am I possibly looking at the wrong implementation or letsencrypt for my use case?