I have a Kubernetes cluster with an nginx-ingress running in front of a set of containerized applications running on the cluster.
The cluster has Cert Manager running using http challenge for the exposed application(s).
Now, for security reasons, one of the exposed applications has been locked down to a set of specific white-listed IP addresses.
My understanding is that the renewal of the certificate will now be broken as the http challenge mechanism is broken.
I thought that maybe I could use DNS challenge for cert renewal. But am unsure if that is even possible since the FQDN is not even reachable except by specific IP’s.
I don’t really understand the full communication flow between cert-manager, DNS provider and LetsEncrypt in the DNS challenge scenario.
Would it even help to change from http challenge to DNS challenge in this scenario?
The DNS provider is GratisDNS.dk. I do not think they support the ACME protocol. Just some text entry stuff. So I am guessing I need another DNS provider and then it should work.
Hmm, I guess that means I need remove https://docs.cert-manager.io/en/release-0.4/index.html from my cluster. I don’t think it supports gratisdns.dk Then implement a container around acme.sh that exports the certs to the cluster.
But then I lose all the nice functionality of cert-manager
