Update cert-manager configurations to use DNS-01 challenge with Cloudflare for both production and staging ClusterIssuers. Modify README.md to reflect the new DNS-01 setup and provide instructions for creating the necessary Cloudflare API token secret. This change enhances certificate issuance reliability when using Cloudflare's proxy services.

clusters/noble/apps/cert-manager/README.md

@@ -1,6 +1,16 @@
 # cert-manager — noble
 
-**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB.
+**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB for app traffic.
+
+**ACME (Let’s Encrypt)** uses **DNS-01** via **Cloudflare** for zone **`pcenicni.dev`**. Create an API token with **Zone → DNS → Edit** and **Zone → Zone → Read** (or use the “Edit zone DNS” template), then:
+
+```bash
+kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
+  --from-literal=api-token='YOUR_CLOUDFLARE_API_TOKEN' \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+Without this Secret, **`ClusterIssuer`** will not complete certificate orders.
 
 1. Create the namespace:
 
@@ -35,3 +45,5 @@
    ```
 
 Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.
+
+**HTTP-01** is not configured: if the hostname is **proxied** (orange cloud) in Cloudflare, Let’s Encrypt may hit Cloudflare’s edge and get **404** for `/.well-known/acme-challenge/`. DNS-01 avoids that.