Update cert-manager configurations for Let's Encrypt to include DNS-01 challenge support for both pcenicni.dev and nikflix.ca. Clarify Cloudflare API token requirements in comments and remove HTTP-01 fallback references for cleaner configuration.

clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml

@@ -11,7 +11,8 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-account-key
     solvers:
-      # DNS-01 — Cloudflare token covers pcenicni.dev only. Requires Secret cloudflare-dns-api-token in cert-manager.
+      # DNS-01 — Cloudflare token must have Zone.Read + DNS.Edit for BOTH pcenicni.dev AND nikflix.ca.
+      # Edit the token in Cloudflare → My Profile → API Tokens to add nikflix.ca zone permissions.
       - dns01:
           cloudflare:
             apiTokenSecretRef:
@@ -20,8 +21,4 @@ spec:
         selector:
           dnsZones:
             - pcenicni.dev
-      # HTTP-01 fallback — used for all other zones (e.g. nikflix.ca via Pangolin → Newt → Traefik).
-      # Requires a Pangolin HTTP resource + target for each hostname before LE can reach /.well-known/acme-challenge/.
-      - http01:
-          ingress:
-            ingressClassName: traefik
+            - nikflix.ca