I have gone through acme and cert manager docs (https://github.com/jetstack/cert-manager) and it seems like I misunderstood this setup at the first place. There’s actually nothing from kong / ingress controller to do with tls-acme annotation - it’s just used by cert manager to do the job.