Renewal process for manually uploaded TLS certificates

We are in the process of moving most of your hosted services to docker/kubernetes in rancher2 HA clusters.
Our development/staging deployments will be using cert-manager with let’s encrypt certificates which from our understanding means, that no manual steps need to be taken for the certificates to be renewed in case they reach their validity date.

In production deployments however non-letsencrypt certificates will be used and in some cases these will be wildcard domain certificates. From our understanding this is possible by to uploading a certificate into each project and use it for namespaces inside this project.

  1. Is this the correct way tls certificates should be deployed or is there a more global solution to place wildcard certificates that will be used in multiple projects?
  2. What is the proposed workflow to keep those certificates valid?
  3. Is there an easy way to renew a certificate that is used in multiple projects?