diff --git a/manifests/harbor/values.yaml b/manifests/harbor/values.yaml
index 8fd42e6..9b46b5a 100644
--- a/manifests/harbor/values.yaml
+++ b/manifests/harbor/values.yaml
@@ -1,19 +1,19 @@
 expose:
   type: ingress
   tls:
-    # Enable TLS - cert-manager will manage the certificate
+    # Enable TLS with external secret (Cloudflare Origin Certificate for now)
     enabled: true
-    # Use "secret" to reference an existing/external secret managed by cert-manager
-    # DO NOT use "auto" (Harbor's self-signed CA conflicts with cert-manager)
+    # Use "secret" to reference pre-created TLS secret
     certSource: secret
     secret:
-      # This secret will be created and managed by cert-manager via the ingress annotation
+      # Secret created manually with Cloudflare Origin Certificate
+      # Will be managed by cert-manager after March 23
       secretName: "harbor-ingress"
   ingress:
     className: traefik
     annotations:
-      # TEMPORARY: Using staging to avoid rate limits (switch back to 'letsencrypt' after March 23, 2026)
-      cert-manager.io/cluster-issuer: letsencrypt-staging
+      # NO cert-manager annotation during Phase 1 (manual certificate)
+      # Add back on March 23 for automatic Let's Encrypt management
       # Traefik specific annotations for HTTPS routing
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"