diff --git a/cluster-resources/azuredns-config-sealed.yaml b/cluster-resources/azuredns-config-sealed.yaml
new file mode 100644
index 0000000..27dedd7
--- /dev/null
+++ b/cluster-resources/azuredns-config-sealed.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: azuredns-config
+  namespace: cert-manager
+spec:
+  encryptedData:
+    client-secret: AgBPCix6yTt8gXV2pMfRx6weWtLWUeMa/cBwuaDBZkqZE4CTSDxjQWWK8ul5OtndlEX7+gXV2HpuAmHRhGC8P1z39yWRxIDbKf+AH4JOGSIfu57tnrGvzAwjanKtqeFCEM67Y42Kz1rahCEtdwJj2YIL9oVdCtRPkpAJrAJclqmrCvJZtqQYcDeEn5ONK5Gchxc6x2/J0U0LTjLz/MP74CEKw3CiZ+9VKA4ppvPqjqoE4yyAXSglSnhYTqtMZpFg5sr+at6rAB1ufmtiS70Vfks46OL0/ZJjdS6h5wjIZhl/1DgIFXqc1yoAjuEoMRzMeW9ji1PnjRqas4lU19tuEOf9/Eq65BYOqSIqJ3saG4I/+z013coCGCalo4ghuufmu5pcsi6ywcszz+g20N/PZcVcLbzZbMnKcXsaE007MDLxGY1QD89aribAvsypDUNEuNh7w2n/OAyQdw+nRDGIi8Oz3FoJUmC0HBxin2hstuBnrAXtxdqRX1NU25HfR2s3qt/yQ33TFx4xHA3NAll8Riyg2rvgqAKo9x9rmlcnzML011vlNu5oLKAuCqJlH8W/Nnnh6LNcZJy8Cj+fqXPeWHS4Qk7nEAbYJN9/sNAUg/VzsP0yYejPfjwzoDDaPLvTHROwv9nZ+Lr/U5epHr231jc5+i3x8dLuBtg+aa5PHoS/Ml1a4811w3Bxj3u36q8UPJGnszQXLKCpucynVVstAj4ufhXhhNXJdK/U31Zrc6j3Skw4zgF8Ddv0
+  template:
+    metadata:
+      creationTimestamp: null
+      name: azuredns-config
+      namespace: cert-manager
diff --git a/cluster-resources/letsencrypt-issuer.yaml b/cluster-resources/letsencrypt-issuer.yaml
index 49148f7..7a5095f 100644
--- a/cluster-resources/letsencrypt-issuer.yaml
+++ b/cluster-resources/letsencrypt-issuer.yaml
@@ -12,22 +12,24 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging-key
     solvers:
-    # DNS-01 solver for wildcard certificates (*.example.com)
     - dns01:
-        cloudflare:
-          email: danijels@gmail.com
-          apiTokenSecretRef:
-            name: cloudflare-api-token-secret
-            key: api-token
+        azureDNS:
+          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
+          resourceGroupName: forteapps-domain
+          hostedZoneName: forteapps.net
+          environment: AzurePublicCloud
+          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
+          clientSecretSecretRef:
+            name: azuredns-config
+            key: client-secret
       selector:
         dnsNames:
-        - '*.example.com'
-        - 'example.com'
+        - '*.forteapps.net'
+        - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
-
 ---
 # Production ClusterIssuer for browser-trusted certificates
 apiVersion: cert-manager.io/v1
@@ -42,28 +44,78 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-key
     solvers:
-    # DNS-01 solver for wildcard certificates (*.example.com)
+    # DNS-01 solver for wildcard certificates (*.forteapps.net)
     - dns01:
-        cloudflare:
-          email: danijels@gmail.com
-          apiTokenSecretRef:
-            name: cloudflare-api-token-secret
-            key: api-token
+        azureDNS:
+          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
+          resourceGroupName: forteapps-domain
+          hostedZoneName: forteapps.net
+          environment: AzurePublicCloud
+          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
+          clientSecretSecretRef:
+            name: azuredns-config
+            key: client-secret
       selector:
         dnsNames:
-        - '*.example.com'
-        - 'example.com'
+        - '*.forteapps.net'
+        - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01:
         ingress:
           class: traefik
 
 # =============================================================================
-# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
+# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
+# =============================================================================
+#
+# PREREQUISITES IN AZURE DNS PORTAL:
+# ----------------------------------
+# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
+#    Azure subscription. If not, create it in Azure Portal:
+#    - Search for "DNS zones" → Create → Zone name: forteapps.net
+#    - Note the Resource Group where you create it (e.g., "dns-zones-rg")
+#
+# 2. Configure NS records at your domain registrar to point to Azure DNS:
+#    - In Azure Portal → DNS zones → forteapps.net
+#    - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
+#    - Go to your domain registrar and update the NS records to these values
+#
+# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
+# ----------------------------------------------------------------------------
+# Since your cluster runs on UpCloud (not AKS), you must use Service Principal
+# authentication. Managed Identity only works with Azure-hosted resources.
+#
+# =============================================================================
+# SETUP: Service Principal for UpCloud Clusters
+# =============================================================================
+#
+# 1. Create Azure AD App Registration:
+#    az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
+#    # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
+#
+# 2. Assign DNS Zone Contributor role:
+#    az role assignment create \
+#      --role "DNS Zone Contributor" \
+#      --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
+#      --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
+#
+# 3. Create Kubernetes secret for the service principal:
+#    kubectl create secret generic azuredns-config \
+#      --namespace cert-manager \
+#      --from-literal=client-secret=YOUR_CLIENT_SECRET
+#
+# 4. Update the ClusterIssuer above with:
+#    - subscriptionID: Your Azure subscription ID
+#    - resourceGroupName: The resource group containing your DNS zone
+#    - clientID: The Service Principal appId/clientID
+#    - clientSecretSecretRef: References the secret created in step 3
+#
+# =============================================================================
+# ALTERNATIVE DNS PROVIDERS (for reference):
 # =============================================================================
 
 # -----------------------------------------------------------------------------
-# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
+# Cloudflare (original configuration)
 # -----------------------------------------------------------------------------
 # Create secret with: kubectl create secret generic cloudflare-api-token-secret \
 #   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
@@ -76,7 +128,7 @@ spec:
 #       key: api-token
 
 # -----------------------------------------------------------------------------
-# Option 2: AWS Route53
+# AWS Route53
 # -----------------------------------------------------------------------------
 # Create secret with: kubectl create secret generic route53-credentials \
 #   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
@@ -84,34 +136,14 @@ spec:
 # dns01:
 #   route53:
 #     region: us-east-1
-#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
+#     hostedZoneID: ZXXXXXXXXXXXXX
 #     accessKeyID: YOUR_ACCESS_KEY_ID
 #     secretAccessKeySecretRef:
 #       name: route53-credentials
 #       key: secret-access-key
 
 # -----------------------------------------------------------------------------
-# Option 3: Azure DNS
-# -----------------------------------------------------------------------------
-# Create secret with: kubectl create secret generic azuredns-config \
-#   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
-#
-# dns01:
-#   azureDNS:
-#     subscriptionID: YOUR_SUBSCRIPTION_ID
-#     resourceGroupName: YOUR_RESOURCE_GROUP
-#     hostedZoneName: example.com
-#     environment: AzurePublicCloud
-#     managedIdentity:
-#       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
-#     # OR use service principal:
-#     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
-#     # clientSecretSecretRef:
-#     #   name: azuredns-config
-#     #   key: client-secret
-
-# -----------------------------------------------------------------------------
-# Option 4: Google Cloud DNS
+# Google Cloud DNS
 # -----------------------------------------------------------------------------
 # Create secret with service account JSON key:
 # kubectl create secret generic clouddns-service-account \
@@ -120,13 +152,13 @@ spec:
 # dns01:
 #   cloudDNS:
 #     project: YOUR_GCP_PROJECT_ID
-#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
+#     hostedZoneName: example-com
 #     serviceAccountSecretRef:
 #       name: clouddns-service-account
 #       key: service-account.json
 
 # -----------------------------------------------------------------------------
-# Option 5: GoDaddy
+# GoDaddy
 # -----------------------------------------------------------------------------
 # Requires external webhook: https://github.com/snowdrop/godaddy-webhook
 #
@@ -143,7 +175,7 @@ spec:
 #         key: api-secret
 
 # -----------------------------------------------------------------------------
-# Option 6: Manual/Dynamic DNS (for homelab)
+# Manual/Dynamic DNS (for homelab)
 # -----------------------------------------------------------------------------
 # Requires RFC2136 provider or external webhook
 #
@@ -154,4 +186,4 @@ spec:
 #     tsigAlgorithm: HMACSHA256
 #     tsigSecretSecretRef:
 #       name: tsig-secret
-#       key: secret
\ No newline at end of file
+#       key: secret