diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/3-deploy/2-apps/authentik/app/hr.yaml
index fcf7e9c4..b533c079 100644
--- a/kube/3-deploy/2-apps/authentik/app/hr.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml
@@ -22,6 +22,8 @@ spec:
       tag: 2023.4.1
       digest: "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829"
       pullPolicy: IfNotPresent
+    service:
+      port: 9000
     ingress:
       enabled: true
       ingressClassName: "nginx"
@@ -36,6 +38,7 @@ spec:
       tls:
         - hosts:
             - *host
+          secretName: authentik-tls
     authentik:
       log_level: debug
       secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
diff --git a/kube/3-deploy/2-apps/authentik/app/tls.yaml b/kube/3-deploy/2-apps/authentik/app/tls.yaml
new file mode 100644
index 00000000..76b3a34f
--- /dev/null
+++ b/kube/3-deploy/2-apps/authentik/app/tls.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: &app authentik
+  namespace: *app
+spec:
+  secretName: authentik-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  commonName: ${DNS_MAIN}
+  dnsNames:
+    - ${DNS_MAIN}
+    - '*.${DNS_MAIN}'
+    - '*.tinfoil.${DNS_MAIN}'