diff --git a/cert-manager/cert-manager.yaml b/cert-manager/cert-manager.yaml
new file mode 100644
index 0000000..d838add
--- /dev/null
+++ b/cert-manager/cert-manager.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: ca-cert
+  namespace: cert-manager
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/ca"
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: ca-cert
diff --git a/helm/values/gitea.values.yaml b/helm/values/gitea.values.yaml
index 0cc1615..f5617eb 100644
--- a/helm/values/gitea.values.yaml
+++ b/helm/values/gitea.values.yaml
@@ -12,12 +12,17 @@ service:
 ingress:
   enabled: true
   className: nginx-internal
+  annotations:
+    cert-manager.io/cluster-issuer: selfsigned-issuer
   hosts:
     - host: gitea.home
       paths:
         - path: /
           pathType: Prefix
-  tls: []
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - gitea.home
 gitea:
   admin:
     existingSecret: gitea-admin