diff --git a/.gitignore b/.gitignore
index 0457da1..8d3a1b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 vault-pass.gpg-*
 roles/*
 !roles/requirements.yml
+.vscode/
diff --git a/files/manifests/secret-digitalocean-dns.yaml b/files/manifests/secret-digitalocean-dns.yaml
index 4d469f8..4a5e725 100644
--- a/files/manifests/secret-digitalocean-dns.yaml
+++ b/files/manifests/secret-digitalocean-dns.yaml
@@ -1,16 +1,19 @@
 $ANSIBLE_VAULT;1.1;AES256
-32383162626163663734653236646538626464643665323334666363306662363434346133653737
-3766373965626437376630303837663339383664643466300a336463366335636634336437303036
-32626138646662633337663037393538336438643363303962326263656636316336346462643937
-6337363463626265630a663964386638633133613465363436376533346336333066663664363062
-65333864353338656437333762313937376538376634383438643134313266366236393039376131
-35646533353539633436343435316465386534646663316234336263363163343463626632663837
-66633432376136323961336437613465303635303966343530383162653766373736333661386163
-30303233333939626537303631313532373130363866306165343732653064643866393933323230
-31373035653332363961343464613134626464643733313666333861623961373264303462633334
-63653638356666656163343266353133396236313231643664313764663761363634643063323466
-36623266393166316138343239393663393739666266653730323766643566343936386436666164
-30616637656563626634306634336631613564396234613836396537636363643466323762393166
-33623534613462306130356631626265373462343065333132666439623333663135336437323536
-36303131386135333763356565323962666233353263353331653065333435613138343939393530
-633664316538643432303731366233653831
+37633666323130636331326338626330663531323239656265636464376534653664393535323234
+3231316434616366656265373863663431333466323831350a616337336363346163363962643130
+30663862656334303862643333366237376538633937366332333535303264366562336136336363
+6632316663353138620a643230666534653231666534653837333536333930646465623533373639
+65323839643535373666313866373764663832366231333832336135623930306564363930373539
+62376134666332323837396634616465323132643933353738376166313236303063663463646561
+35653738636264653739326132366530663962306133353061653764353261333737666638343039
+34663762636439303530313865366236666131373561323337323539623266666136653232656466
+36383833336235623939653765373331313333623031376539613536663134356632313762616364
+66363036623538663635306438373962323538323234343234623364633165363865396563366339
+37363232313764646237316630643463343561653362373436346663643738356334353431356261
+39383131346237636435303338303462636531376639383765343733303133393731326538363862
+36643831303030656239613938323862323539356339386435633663306430623838653763373337
+38336431303539383831653739313063373539323937353333626235626130613266666230666365
+32326238353439393538353939306235643762646339393362633632663638666564363431663366
+66366435613262356165373538373138353031356365316262343733663763373031623435323366
+63653165386561616562623230376461383936353738313333646335623937353566303462616232
+6533356562323134643839313765393933656537633337363932
diff --git a/files/manifests/wildcard-pwa-realitynetwork.yaml b/files/manifests/wildcard-pwa-realitynetwork.yaml
index 3af5555..a3f4e29 100644
--- a/files/manifests/wildcard-pwa-realitynetwork.yaml
+++ b/files/manifests/wildcard-pwa-realitynetwork.yaml
@@ -11,5 +11,5 @@ spec:
     group: cert-manager.io
   commonName: "*.pwa.realitynetwork.store"
   dnsNames:
-    - ".pwa.realitynetwork.store"
+    - "pwa.realitynetwork.store"
     - "*.pwa.realitynetwork.store"
diff --git a/group_vars/rnt_cad/k8s-vault.yml b/group_vars/rnt_cad/k8s-vault.yml
index 114140f..2857e57 100644
--- a/group_vars/rnt_cad/k8s-vault.yml
+++ b/group_vars/rnt_cad/k8s-vault.yml
@@ -1,8 +1,26 @@
 $ANSIBLE_VAULT;1.1;AES256
-39633338616237663666373535663038646563353438346363333632616133353661323532623265
-6464306261363038386234396334363136336435656663390a626133313233396664646130386361
-39326232343834663665376534666230303034303362333265356263336361626362393939623961
-6234393862366365360a353461386639633132633437653832383663303136343761333132333738
-33336131323364333063393732643366666563393839303333303663366334613238626537636530
-64323062353134346431373536623162353731623833623832353636643063646463623833613135
-643430356133643436373339643066613165
+61316662343265383362663936373531346563663065646434336239643031356336623230623766
+3135333666356363636536656439363239356232666435370a346232636365616566313331626362
+34303965633863623237333861666564373665623938623164396162323166343337653631333130
+3034333135333535320a646561333736353838356565323737616232373461646531636233363732
+34303463323132313430653733396636313930383364363462636463333139623265636362373438
+65626331386536376666366261633835313334653739643364643639643431353730386662363839
+37636639393530633834623631363765663730383031313138656431633835343263303462313261
+33616366333262643033636563326534653133643232616636353037616261643162386465613134
+39643730666435666165353331653765386539356333623830306239323366363563613639653232
+61373933306531666334306463326161386431326132623238633235623839646236663761386530
+38633963303839343238613164643464356562616334316332366461363963363339343762326535
+66336336393537343762653731306637613030643338616164383435336632313862336464613533
+32653265613262663633623039386337666333336364396435656331376339373938653634336162
+65376433653665373838663261656635623663326433616534653963396163316662613664343561
+39616532386330663337396332316332336537663466636339356463393239356430626266653133
+35623362373030623830303762343830353962353532373638643631636239653338306462343965
+61663031313465343632326664303963623037633639356563646265326233303261663533346632
+65333637613864623237643432613262383632336532316335643938313335306262316561366137
+37303965353065336234303134323631363932613162343337353433373964623565643039636162
+66376236393334613232343434376163613836373565313235323437356463313366646461363537
+32643135636364626533666265393664396538336331663735306433303439356462393532316437
+33613665633538663963633264346461663630623566393233656536323564623361323962303962
+62333736643664343762323433666531333633383563643834346234353736653337326438646530
+66373035336238363635623933663532323362396534653235633535316332393664336164303361
+65643435623334383435666434303465623465653531356465653535633363633036
diff --git a/group_vars/rnt_cad/k8s.yml b/group_vars/rnt_cad/k8s.yml
index 3cf85c0..d78f43f 100644
--- a/group_vars/rnt_cad/k8s.yml
+++ b/group_vars/rnt_cad/k8s.yml
@@ -1,14 +1,32 @@
 ---
+# default context is used for stack orchestrator deployments, for testing a custom context name can be usefull
+#k8s_cluster_name: rnt-cad-cluster
 k8s_cluster_name: default
 k8s_cluster_url: rnt-cad-cluster-control.realitynetwork.store
 k8s_taint_servers: true
 
 k8s_acme_email: "{{ support_email }}"
 
+# k3s bundles traefik as the default ingress controller, we will disable it and use nginx instead
+k8s_disable: 
+  - traefik
+
+# secrets can be stored in a file or as a template, the template secrets gets dynamically base64 encoded while file based secrets must be encoded by hand
+k8s_secrets:
+  - name: digitalocean-dns
+    type: file
+    source: secret-digitalocean-dns.yaml
+
 k8s_manifests:
+  # ingress controller, replaces traefik which is explicitly disabled
+  - name: ingress-nginx
+    type: url
+    source: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
+
+  # cert-manager, required for letsencrypt
   - name: cert-manager
     type: url
-    source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml
+    source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
   
   # issuer for basic http certs
   - name: letsencrypt-prod