# cert-manager — noble

**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB.

1. Create the namespace:

   ```bash
   kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml
   ```

2. Install the chart (CRDs included via `values.yaml`):

   ```bash
   helm repo add jetstack https://charts.jetstack.io
   helm repo update
   helm upgrade --install cert-manager jetstack/cert-manager \
     --namespace cert-manager \
     --version v1.20.0 \
     -f clusters/noble/apps/cert-manager/values.yaml \
     --wait
   ```

3. Optionally edit **`spec.acme.email`** in both ClusterIssuer manifests (default **`certificates@noble.lab.pcenicni.dev`**) — Let’s Encrypt uses this for expiry and account notices. Do **not** use **`example.com`** (ACME rejects it).

4. Apply ClusterIssuers (staging then prod, or both):

   ```bash
   kubectl apply -k clusters/noble/apps/cert-manager
   ```

5. Confirm:

   ```bash
   kubectl get clusterissuer
   ```

Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.