diff --git a/k8s/manifests/intake-ingress.yaml b/k8s/manifests/intake-ingress.yaml
index 4e9eae2..84de962 100644
--- a/k8s/manifests/intake-ingress.yaml
+++ b/k8s/manifests/intake-ingress.yaml
@@ -1,18 +1,4 @@
 ---
-# Certificate for janet.ctz.fyi
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: janet-ctz-fyi-tls
-  namespace: autojanet
-spec:
-  secretName: janet-ctz-fyi-tls
-  dnsNames:
-    - janet.ctz.fyi
-  issuerRef:
-    kind: ClusterIssuer
-    name: letsencrypt-prod
----
 # IngressRoute: janet.ctz.fyi → intake service
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -20,8 +6,8 @@ metadata:
   name: intake
   namespace: autojanet
   annotations:
-    external-dns.alpha.kubernetes.io/hostname: janet.ctz.fyi
     external-dns/internal: "true"
+    external-dns.alpha.kubernetes.io/hostname: janet.ctz.fyi
 spec:
   entryPoints:
     - websecure
@@ -33,3 +19,22 @@ spec:
           port: 80
   tls:
     secretName: janet-ctz-fyi-tls
+---
+# Companion Ingress — cert-manager issues the cert, external-dns picks up the hostname
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: intake-dns
+  namespace: autojanet
+  annotations:
+    external-dns/internal: "true"
+    external-dns.alpha.kubernetes.io/hostname: janet.ctz.fyi
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - janet.ctz.fyi
+      secretName: janet-ctz-fyi-tls
+  rules:
+    - host: janet.ctz.fyi