diff --git a/kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml b/kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml
new file mode 100644
index 0000000..e647a3a
--- /dev/null
+++ b/kubernetes/rpi5-cluster/apps/cert-manager/ks.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: app
+  namespace: cert-manager
+spec:
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes/rpi5-cluster/templates/apps/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: issuers
+  namespace: cert-manager
+spec:
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops
+  dependsOn:
+    - name: app
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: issuer-vars
diff --git a/kubernetes/rpi5-cluster/apps/cert-manager/namespace.yaml b/kubernetes/rpi5-cluster/apps/cert-manager/namespace.yaml
new file mode 100644
index 0000000..c90416f
--- /dev/null
+++ b/kubernetes/rpi5-cluster/apps/cert-manager/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
diff --git a/kubernetes/rpi5-cluster/infrastructure/repositories/cert-manager.yaml b/kubernetes/rpi5-cluster/infrastructure/repositories/cert-manager.yaml
new file mode 100644
index 0000000..2b98576
--- /dev/null
+++ b/kubernetes/rpi5-cluster/infrastructure/repositories/cert-manager.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1h
+  url: https://charts.jetstack.io
diff --git a/kubernetes/rpi5-cluster/templates/apps/cert-manager/apps/helmrelease.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/apps/helmrelease.yaml
new file mode 100644
index 0000000..c4efb8e
--- /dev/null
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/apps/helmrelease.yaml
@@ -0,0 +1,44 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1h
+  driftDetection:
+    mode: enabled
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.15.0
+      sourceRef:
+        kind: HelmRepository
+        namespace: cert-manager
+        name: cert-manager
+      interval: 1h
+  install:
+    crds: Create
+  upgrade:
+    crds: CreateReplace
+  values:
+    installCRDs: true
+
+    podLabels:
+      rpi5.cluster.policy/egress-kubeapi: "true"
+      rpi5.cluster.policy/egress-namespace: "true"
+      rpi5.cluster.policy/egress-world: "true"
+      rpi5.cluster.policy/ingress-namespace: "true"
+    webhook:
+      podLabels:
+        rpi5.cluster.policy/egress-kubeapi: "true"
+    cainjector:
+      podLabels:
+        rpi5.cluster.policy/egress-kubeapi: "true"
+
+    global:
+      priorityClassName: system-cluster-critical
+
+    podDnsConfig:
+      nameservers:
+        - 1.1.1.1
+        - 1.0.0.1
diff --git a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
new file mode 100644
index 0000000..976e4f2
--- /dev/null
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+    name: letsencrypt-dns01
+    namespace: cert-manager
+spec:
+    acme:
+        email: ${email}
+        server: https://acme-v02.api.letsencrypt.org/directory
+        privateKeySecretRef:
+            name: letsencrypt-dns01
+        solvers:
+            - dns01:
+                cloudflare:
+                    apiTokenSecretRef:
+                        name: cloudflare-api-token
+                        key: api-token
diff --git a/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
new file mode 100644
index 0000000..657c3a5
--- /dev/null
+++ b/kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+    name: letsencrypt-http01
+    namespace: cert-manager
+spec:
+    acme:
+        email: ${email}
+        server: https://acme-v02.api.letsencrypt.org/directory
+        privateKeySecretRef:
+            name: letsencrypt-http01
+        solvers:
+          - http01:
+              ingress:
+                class: nginx