Grading Rubric

Criterion	Strong (3)	Adequate (2)	Weak (1)
Identified misleading symptom	Recognized DNS latency was a monitoring artifact within 5 min; went straight to TLS	Investigated DNS briefly but pivoted when dig showed clean results	Got stuck troubleshooting DNS, CoreDNS, or external resolvers
Found root cause in security domain	Identified that cert-manager renewal was failing because the secret was deleted by Helm	Found the expired certificate but not why renewal failed	Only saw the expired cert; assumed it was a manual rotation miss
Remediated in Kubernetes domain	Re-issued cert, annotated secret with helm.sh/resource-policy: keep, updated Helm chart	Re-issued cert manually but did not prevent recurrence	Tried to fix DNS or manually replace the TLS cert without cert-manager
Cross-domain thinking	Explained the full chain: Helm upgrade -> secret deletion -> renewal failure -> TLS expiry -> monitoring misattribution to DNS	Acknowledged it crossed security and k8s but missed the monitoring misdirection	Treated it as a single-domain TLS or DNS problem

Prerequisite Topic Packs

• dns-deep-dive — needed for Domain A investigation (DNS resolution, dig, resolvers)
• tls-certificates-ops — needed for Domain B root cause (cert lifecycle, expiry, renewal)
• cert-manager — needed for Domain B root cause (cert-manager Certificate resources, Issuers)
• helm — needed for Domain C remediation (Helm 3-way merge, resource policies, secret lifecycle)
• monitoring-fundamentals — needed to understand the monitoring misattribution

Pages that link here

• DNS Deep Dive
• Helm
• Monitoring Fundamentals
• Symptoms: DNS Looks Broken, TLS Is Expired, Fix Is in Cert-Manager
• TLS & Certificates Ops
• cert-manager