diff --git a/upstream/kustomization.yaml b/upstream/kustomization.yaml
--- a/upstream/kustomization.yaml
+++ b/upstream/kustomization.yaml
@@ -4,15 +4,15 @@ bases:
 patchesStrategicMerge:
   - "patch.yaml"
 
-# patches:
-#   - target:
-#       kind: Deployment
-#       name: pomerium
-#       namespace: pomerium
-#     patch: |-
-#       - op: add
-#         path: /spec/template/spec/containers/0/args/-
-#         value: "--debug"
+patches:
+  - target:
+      kind: Deployment
+      name: pomerium
+      namespace: pomerium
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: "--debug"
 
   # fix for a digitalocean/dns issue https://github.com/cert-manager/cert-manager/issues/2485#issuecomment-1167314615
   - target:
diff --git a/upstream/patch.yaml b/upstream/patch.yaml
--- a/upstream/patch.yaml
+++ b/upstream/patch.yaml
@@ -20,6 +20,14 @@ spec:
               cpu: 5000m
               # getting OOM at the default 1Gi
               memory: 5Gi
+
+      # only for debugging
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - { key: "kubernetes.io/hostname", operator: In, values: ["ditto"] }
 ---
 apiVersion: v1
 kind: Service
@@ -46,3 +54,60 @@ spec:
       containers:
       - name: gen-secrets
         image: bang5:5000/pomerium_ingress_controller:510
+
+      # only for debugging
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - { key: "kubernetes.io/hostname", operator: In, values: ["ditto"] }
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-cainjector
+  namespace: cert-manager
+spec:
+  template:
+    spec:
+      # only for debugging
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - { key: "kubernetes.io/hostname", operator: In, values: ["ditto"] }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  template:
+    spec:
+      # only for debugging
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - { key: "kubernetes.io/hostname", operator: In, values: ["ditto"] }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook
+  namespace: cert-manager
+spec:
+  template:
+    spec:
+      # only for debugging
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - { key: "kubernetes.io/hostname", operator: In, values: ["ditto"] }
\ No newline at end of file