diff --git a/infrastructure/cert-manager/cloudflare-secret.sealed.yaml b/infrastructure/cert-manager/cloudflare-secret.sealed.yaml
new file mode 100644
index 0000000..b883ea1
--- /dev/null
+++ b/infrastructure/cert-manager/cloudflare-secret.sealed.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgBfxV2k7bG5Zf9KIvaSGwgisxhpi6Wxg6TlgIqdJmARkWezhnM7kc41oU2FxK2rOroYF4ailxBJVbCyeCSPoaPu7sn9Fc7+EgGvlb1DOHKvLVLXoAdu3b1opta6gYi05Uzc8anU9uAsMoEJFcn71RTzFIGNMVKVs2VovtajtRf6UW61kNaC54wmMPuhEYsYKYs75sCc/CgmhMD7P8bx6/b6f7QnsksP07mR5GXS1Q8DePu4dHGx9FhMNXVu+lajyd6wW2eLk0EqzNsZ1cSoK3gZrbpKtHGOkuO6TIoBPAgtgqN8wQzurFkeHowTuEU7GMas0FJtP5b/uH0GwKzYeKvqLvX2LLybwiD/idb/fGSZiPIdk5g3ENSOa8bUiVB78mVGXfSWmVcJCAmKY5uB7vRxq44jZI6eTvalrZoAFKF0zzHi1PBTOimgiDUWJXNd6gVORcqqvsbuAOYi/8KzBSXd+qR+EGbAfYgC/0UAhQPr2uuH0MP1x2gnOLtulxU5oRMvtSzMVZrv85qGrkp1KOtK5oQoDT6kgNZKJ6FBV8JsKhISPUGdM0xsgH+cXyqVZ73UlyohaiPYVHpvoRtcMMw0zQM/tQnhMdstEKQgsSGuzg8g7cOgv2aiYFL1sfm08XEofCBeBXrTNodxAa77I4KnNeB1tbR/WXdX/kzLxb0aGheCxsv8nDU3KJyrvAbRj9wVL3hnBnIc6p/bg8KPLrJkp2Qe+3ree/7Wma0+qhlswdvjLn4dGeb9
+  template:
+    data: null
+    metadata:
+      creationTimestamp: null
+      name: cloudflare-api-token-secret
+      namespace: cert-manager
+
diff --git a/infrastructure/cert-manager/cluster-issuer.yaml b/infrastructure/cert-manager/cluster-issuer.yaml
new file mode 100644
index 0000000..f1a4d8c
--- /dev/null
+++ b/infrastructure/cert-manager/cluster-issuer.yaml
@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-issuer
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: contact@kasperhermansen.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-issuer-secret
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - 'kjuulh.app'
+        - '*.kjuulh.app'
diff --git a/infrastructure/cert-manager/create-secret.sh b/infrastructure/cert-manager/create-secret.sh
new file mode 100755
index 0000000..ef40c98
--- /dev/null
+++ b/infrastructure/cert-manager/create-secret.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+echo "Encrypt secret with 'sealed-secrets'"
+kubectl -n default create secret generic cloudflare-api-token-secret \
+--from-literal=api-token="$1" \
+--namespace="cert-manager" \
+--dry-run=client \
+-o yaml > cloudflare-secret.yaml
+echo "secret: $1"
+kubeseal \
+  --format=yaml \
+  --controller-name=sealed-secrets \
+  --controller-namespace=kube-system \
+< cloudflare-secret.yaml > cloudflare-secret.sealed.yaml
+echo "Updated/created secret"
+rm cloudflare-secret.yaml
diff --git a/infrastructure/cert-manager/kustomization.yaml b/infrastructure/cert-manager/kustomization.yaml
index 5edc9be..883e28d 100644
--- a/infrastructure/cert-manager/kustomization.yaml
+++ b/infrastructure/cert-manager/kustomization.yaml
@@ -4,3 +4,5 @@ namespace: cert-manager
 resources:
   - namespace.yaml
   - release.yaml
+  - cloudflare-secret.sealed.yaml
+  - cluster-issuer.yaml