What are my ingress IP whitelist options?

We need to do IP whitelists for application ingress routes in OpenShift 4.10. The whitelist contents are different for applications in different environments and lifecycle stages. We separate environments and lifecycle stages with namespaces and labels. We have a lot of applications so there will be a great number of whitelist/environment/lifecycle combinations. Maintaining these in Route YAML HAProxy whitelist annotations causes a lot of work.

• Is it possible to predefine whitelists in HAProxy and refer to these in Route annotations?
• Are there other options for limiting external access to applications in the cluster? We want to have a single ingress IP address for the whole cluster. The env/lc separation is in hostnames, eg. ci-myapp.mycluster.com, preprod-myapp.mycluster.com.