Cert-manager in GKE with nginx-ingress

I install self-hosted gitlab on GKE with helm.

  • helm chart version : 4.7.1
  • terraform: v12.24

I want to use nginx-ingress for setting firewall, which is mentioned in this page.

And my setting in values.yaml is as below.

nginx-ingress:
  controller:
    service:
      loadBalancerSourceRanges:[LIST, OF, ALLOW,IP]

and also, I want to use cert-manager.

  ingress:
    annotations:
      kubernetes.io/ingress.allow-http: "false"
    configureCertmanager: true
    enabled: true
    tls:
      enabled: true

In this case, issuing certificate with cert-manager failed.

Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://gitlab.xxx.xxx.xxx.xip.io/.well-known/acme-challenge/wW_aQvj0uAxl03IOeKlrVCXJtugAM-Mtgi2cvk4_5lU

If I changed loadBalancerSourceRanges to [0.0.0.0/0], certificate issued successfully so I figured out it’s because of firewall rule. But I cannot find what IP address must be allowed in nginx-ingress.
Or, instead of adding some IP addresses for cert, should I change another configuration ?

If someone knows the way to issue certificate with cert-manager in GKE which has nginx-ingress and loadBalancerSourceRange , please help me.

I found letsencrypt document say that

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time.
FAQ - Let's Encrypt - Free SSL/TLS Certificates

so I may not be able to set specific IP address on firewall rule on nginx-ingress.

What I may be able to do are

  • Install cert-manager by myself on another namespace or another node-pool, which doesn’t have IP-filtering, to get certificate
  • Install cert-manager by myself on same namespace ,but use DNS-01 instead of HTTP-01