The logic that lego has could certainly be coopted here but having a declarative config for the certificate using ThirdPartyResource is the right way to go IMHO.

Also, lego is a bit cumbersome to run in a container. It relies on storing config and certs in a .lego dir in the home directory, and doesn't clean up DNS entries if it somehow fails to run so it would be a pain to use without modification.