# cert-manager

X.509 certificate management for Kubernetes using Let's Encrypt.

## Upstream

The `upstream/cert-manager.yaml` file is downloaded from the official cert-manager release:

- Source: https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml
- Version: v1.17.2

To update, download the new version and replace the file.

## DNS Configuration

The upstream cert-manager deployment is patched via kustomize overlay (`upstream/kustomization.yaml`) to use external DNS resolvers (1.1.1.1, 8.8.8.8) instead of cluster DNS. This is required for ACME DNS-01 challenge verification.

## Maintenance

The `scripts/repair-certificates.sh` script can fix stuck certificates, orphaned ACME orders, and Cloudflare DNS cleanup errors. Run it manually when certificate issuance has issues.