We run Kubernetes clusters in azure on a private network and have happily been using cert-bot to create in azure DNS our _acme-challenge txt files so that we have a local wildcard SSL cert on the clusters as a number of our services only route over the private network.
We also run run public ingress for public-facing services on these clusters and other non k8s services via cloudflare.
For the big picture, our parent domain has a catch DNS A record that points to a 3rd party hosting provided, because - hey marketing.....
A couple of months ago we were updated by cloudflare to use their new dcv service for automatic TLS edge certs, this requires setting a permanent _acme-challane cname to Cloudflare internals.
Scroll on to now and I'm starting to get warnings that Kubernetes certs are not renewing - the error being that cert-manager is unable to create the txt record because cloudflare needs the permanent cname _acme-challange
I could do with some ideas on how to get around this please........
We have looked at using http01-challenge on the cluster however as we then discovered our parent domain A record goes directly to a 3rd party site so we cant redirect the /.well-known/path
Help...