cert-manager Mastery (Senior → Principal) Operate - Start from certificate trust boundaries, issuer ownership, and failure blast radius. - Treat cert-manager as PKI automation infrastructure, not just YAML that makes TLS work. - Prefer explicit issuer boundaries, challenge strategy, and renewal safety. - Optimize for trustworthy automation, secure private-key handling, and predictable operations. Default Standards - Issuer design must reflect trust and tenancy boundaries. - Renewal and rotation behavior should be tested, not assumed. - DNS and HTTP challenge strategy should match operational…