diff --git a/cert-manager/cluster-issuer-selfsigned.yaml b/cert-manager/cluster-issuer-selfsigned.yaml
new file mode 100644
index 0000000..4ca9f59
--- /dev/null
+++ b/cert-manager/cluster-issuer-selfsigned.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cluster-issuer-selfsigned
+spec:
+  selfSigned: {}
diff --git a/deploy/base/ingress.yaml b/deploy/base/ingress.yaml
new file mode 100644
index 0000000..1acead4
--- /dev/null
+++ b/deploy/base/ingress.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress
+spec:
+  ingressClassName: nginx
+  # NOTE: overlays depend on the order of rule entries.
+  rules:
+  - host: grafana
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: grafana
+            port:
+              name: service
diff --git a/deploy/base/kustomization.yaml b/deploy/base/kustomization.yaml
index c8c3093..66a0a44 100644
--- a/deploy/base/kustomization.yaml
+++ b/deploy/base/kustomization.yaml
@@ -59,3 +59,5 @@ resources:
 - inflated/grafana/templates/podsecuritypolicy.yaml
 - inflated/grafana/templates/configmap.yaml
 - inflated/grafana/templates/clusterrolebinding.yaml
+
+- ingress.yaml
diff --git a/deploy/dev/deploy-ingress-nginx.yaml b/deploy/dev/deploy-ingress-nginx.yaml
index 6a8e9f4..1884b1d 100644
--- a/deploy/dev/deploy-ingress-nginx.yaml
+++ b/deploy/dev/deploy-ingress-nginx.yaml
@@ -5,3 +5,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/5
   value: "--configmap=$(POD_NAMESPACE)/dev-ingress-nginx-controller"
+- op: replace
+  path: /spec/template/spec/volumes/0/secret/secretName
+  value: dev-ingress-nginx-admission
diff --git a/deploy/dev/ingress.yaml b/deploy/dev/ingress.yaml
new file mode 100644
index 0000000..fe8b452
--- /dev/null
+++ b/deploy/dev/ingress.yaml
@@ -0,0 +1,15 @@
+- op: replace
+  path: /spec/ingressClassName
+  value: dev-nginx
+- op: add
+  path: /metadata/annotations
+  value:
+    cert-manager.io/cluster-issuer: cluster-issuer-selfsigned
+- op: replace
+  path: /spec/tls
+  value:
+    - hosts:
+      - grafana.local
+- op: replace
+  path: /spec/rules/0/host
+  value: grafana.local
diff --git a/deploy/dev/job-ingress-nginx-admission-create.yaml b/deploy/dev/job-ingress-nginx-admission-create.yaml
index fa1e3f2..e4a660e 100644
--- a/deploy/dev/job-ingress-nginx-admission-create.yaml
+++ b/deploy/dev/job-ingress-nginx-admission-create.yaml
@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: "--host=dev-ingress-nginx-controller-admission,dev-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc"
+- op: replace
+  path: /spec/template/spec/containers/0/args/3
+  value: "--secret-name=dev-ingress-nginx-admission"
diff --git a/deploy/dev/job-ingress-nginx-admission-patch.yaml b/deploy/dev/job-ingress-nginx-admission-patch.yaml
index c394e0f..a461747 100644
--- a/deploy/dev/job-ingress-nginx-admission-patch.yaml
+++ b/deploy/dev/job-ingress-nginx-admission-patch.yaml
@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: "--webhook-name=dev-ingress-nginx-admission"
+- op: replace
+  path: /spec/template/spec/containers/0/args/4
+  value: "--secret-name=dev-ingress-nginx-admission"
diff --git a/deploy/dev/kustomization.yaml b/deploy/dev/kustomization.yaml
index 46150fa..1a6463b 100644
--- a/deploy/dev/kustomization.yaml
+++ b/deploy/dev/kustomization.yaml
@@ -55,6 +55,12 @@ patches:
     name: ingress-nginx-admission-patch
   path: job-ingress-nginx-admission-patch.yaml
 
+# Patch the ingress resource with stage-specific hostnames:
+- target:
+    kind: Ingress
+    name: ingress
+  path: ingress.yaml
+
 # Patch Grafana deployment to inject PostgreSQL credentials:
 - target:
     kind: Deployment
diff --git a/deploy/prod/deploy-ingress-nginx.yaml b/deploy/prod/deploy-ingress-nginx.yaml
index aa2eaed..ff9214d 100644
--- a/deploy/prod/deploy-ingress-nginx.yaml
+++ b/deploy/prod/deploy-ingress-nginx.yaml
@@ -5,3 +5,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/5
   value: "--configmap=$(POD_NAMESPACE)/prod-ingress-nginx-controller"
+- op: replace
+  path: /spec/template/spec/volumes/0/secret/secretName
+  value: prod-ingress-nginx-admission
diff --git a/deploy/prod/ingress.yaml b/deploy/prod/ingress.yaml
new file mode 100644
index 0000000..1938783
--- /dev/null
+++ b/deploy/prod/ingress.yaml
@@ -0,0 +1,16 @@
+- op: replace
+  path: /spec/ingressClassName
+  value: prod-nginx
+- op: add
+  path: /metadata/annotations
+  value:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+- op: replace
+  path: /spec/tls
+  value:
+    - hosts:
+      - grafana.netflux.io
+      secretName: prod-ingress-tls
+- op: replace
+  path: /spec/rules/0/host
+  value: grafana.netflux.io
diff --git a/deploy/prod/job-ingress-nginx-admission-create.yaml b/deploy/prod/job-ingress-nginx-admission-create.yaml
index c47388a..1b92709 100644
--- a/deploy/prod/job-ingress-nginx-admission-create.yaml
+++ b/deploy/prod/job-ingress-nginx-admission-create.yaml
@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: "--host=prod-ingress-nginx-controller-admission,prod-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc"
+- op: replace
+  path: /spec/template/spec/containers/0/args/3
+  value: "--secret-name=prod-ingress-nginx-admission"
diff --git a/deploy/prod/job-ingress-nginx-admission-patch.yaml b/deploy/prod/job-ingress-nginx-admission-patch.yaml
index aac645d..23eef8b 100644
--- a/deploy/prod/job-ingress-nginx-admission-patch.yaml
+++ b/deploy/prod/job-ingress-nginx-admission-patch.yaml
@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: "--webhook-name=prod-ingress-nginx-admission"
+- op: replace
+  path: /spec/template/spec/containers/0/args/4
+  value: "--secret-name=prod-ingress-nginx-admission"
diff --git a/deploy/prod/kustomization.yaml b/deploy/prod/kustomization.yaml
index daade1a..26a6d00 100644
--- a/deploy/prod/kustomization.yaml
+++ b/deploy/prod/kustomization.yaml
@@ -46,6 +46,12 @@ patches:
     name: ingress-nginx-admission-patch
   path: job-ingress-nginx-admission-patch.yaml
 
+# Patch the ingress resource with stage-specific hostnames:
+- target:
+    kind: Ingress
+    name: ingress
+  path: ingress.yaml
+
 # Patch prometheus-server pod to mount the secrets volume.
 - target:
     kind: Deployment