diff --git a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
index 29bae25e..99758610 100644
--- a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
@@ -55,6 +55,7 @@ spec:
         tls:
           - hosts:
               - *host
+            secretName: gotosocial-tls
     podSecurityContext:
       runAsUser: &uid 568
       runAsGroup: *uid
@@ -87,3 +88,5 @@ spec:
         envFrom:
           - secretRef:
               name: gotosocial-pg
+          - secretRef:
+              name: gotosocial-pg-superuser
diff --git a/kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml b/kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml
index 4ca1af68..511df7df 100644
--- a/kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml
@@ -16,4 +16,12 @@ stringData:
   INIT_POSTGRES_DBNAME: *db
   INIT_POSTGRES_USER: *user
   INIT_POSTGRES_PASS: *pass
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "gotosocial-pg-superuser"
+  namespace: "gotosocial"
+type: Opaque
+stringData:
   INIT_POSTGRES_SUPER_PASS: "${SECRET_PG_DEFAULT_SUPER_PASS}"
diff --git a/kube/3-deploy/2-apps/gotosocial/deps/tls.yaml b/kube/3-deploy/2-apps/gotosocial/deps/tls.yaml
new file mode 100644
index 00000000..837c3850
--- /dev/null
+++ b/kube/3-deploy/2-apps/gotosocial/deps/tls.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: &app gotosocial
+  namespace: *app
+spec:
+  secretName: gotosocial-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  commonName: social.jjgadgets.tech
+  dnsNames:
+    - social.jjgadgets.tech