We are working on a product that involves spinning up Kubernetes clusters and each one gets issued with a subdomain and associated certificate by LetsEncrypt. However these clusters can be deleted and recreated multiple times a week, issuing the same cert each time (subdomain.example.com) and we can possibly run foul of LetsEncrypt's 5 renewals/week rate limit.

Since these certs haven't expired (they're just being thrown away on cluster deletion) it would make sense to instead store them somewhere. I am envisaging a solution something along the lines of:

• Cert-manager tries to pull a certificate from an external store
• If it succeeds: a secret is created and all is good
• If the certificate is expired or non-existent, cert-manager uses the issuer to issue a new certificate and pushes it to the external store

I'd like to avoid reinventing the wheel if possible, does a solution already exist for something like this?