I have a Kubernetes cluster with an nginx-ingress running in front of a set of containerized applications running on the cluster.
The cluster has Cert Manager running using http challenge for the exposed application(s).
Now, for security reasons, one of the exposed applications has been locked down to a set of specific white-listed IP addresses.
My understanding is that the renewal of the certificate will now be broken as the http challenge mechanism is broken.
I thought that maybe I could use DNS challenge for cert renewal. But am unsure if that is even possible since the FQDN is not even reachable except by specific IP’s.
I don’t really understand the full communication flow between cert-manager, DNS provider and LetsEncrypt in the DNS challenge scenario.
Would it even help to change from http challenge to DNS challenge in this scenario?