Enable middleware annotation on ingress per path

So we started migrating from IngressRoute to Ingress in my company for various reasons.
The issue I have is that we have an instance of ArgoCD that is inaccessible publicly but have /api/webhook path that needs to be public for Github webhooks to work.

With IngressRoute, I had a separate Rule that just doesn't use middleware on that path.
With Ingress, I tried creating separate Ingress resource (the default one is declared in ArgoCD helm chart values file) just for /api/webhook path but it doesn't work as apparently, the internal-traffic-only middleware applies at the hostname level.

My question is, how do I get 2 Ingress resources (one covering /, another covering /api/webhook) where only one of them is made private with internal-traffic-only middleware?

Again, I'm asking about using regular Kubernetes Ingress resource with Traefik.

I ended up making another middleware that whilelists CIDR.
I don't particularly like this approach, but it works.