diff --git a/deploy/Makefile b/deploy/Makefile
index a754028..a5e3ceb 100644
--- a/deploy/Makefile
+++ b/deploy/Makefile
@@ -1,4 +1,4 @@
-.PHONY: dev prod prod-ovh inflate
+.PHONY: dev prod prod-ovh cert-manager inflate
 
 dev:
 	@kubectl kustomize --enable-helm dev
@@ -11,6 +11,9 @@ prod-ovh:
 	# go install https://git.netflux.io/rob/envfilesubst@latest
 	@kubectl kustomize --enable-helm prod-ovh
 
+cert-manager:
+	@kubectl kustomize --enable-helm cert-manager
+
 load-prod-env:
 	$(eval include prod/secrets/env)
 	$(eval export)
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/cainjector-deployment.yaml b/deploy/cert-manager/inflated/cert-manager/templates/cainjector-deployment.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/cainjector-deployment.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/cainjector-deployment.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/cainjector-rbac.yaml b/deploy/cert-manager/inflated/cert-manager/templates/cainjector-rbac.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/cainjector-rbac.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/cainjector-rbac.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/cainjector-service.yaml b/deploy/cert-manager/inflated/cert-manager/templates/cainjector-service.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/cainjector-service.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/cainjector-service.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/cainjector-serviceaccount.yaml b/deploy/cert-manager/inflated/cert-manager/templates/cainjector-serviceaccount.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/cainjector-serviceaccount.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/cainjector-serviceaccount.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/crds.yaml b/deploy/cert-manager/inflated/cert-manager/templates/crds.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/crds.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/crds.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/deployment.yaml b/deploy/cert-manager/inflated/cert-manager/templates/deployment.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/deployment.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/deployment.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/rbac.yaml b/deploy/cert-manager/inflated/cert-manager/templates/rbac.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/rbac.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/rbac.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/service.yaml b/deploy/cert-manager/inflated/cert-manager/templates/service.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/service.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/service.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/serviceaccount.yaml b/deploy/cert-manager/inflated/cert-manager/templates/serviceaccount.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/serviceaccount.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/serviceaccount.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-job.yaml b/deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-job.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-job.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-job.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-rbac.yaml b/deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-rbac.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-rbac.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-rbac.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml b/deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-deployment.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-deployment.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-deployment.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-deployment.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-mutating-webhook.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-mutating-webhook.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-mutating-webhook.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-mutating-webhook.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-rbac.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-rbac.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-rbac.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-rbac.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-service.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-service.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-service.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-service.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-serviceaccount.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-serviceaccount.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-serviceaccount.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-serviceaccount.yaml
diff --git a/deploy/prod-ovh/inflated/cert-manager/templates/webhook-validating-webhook.yaml b/deploy/cert-manager/inflated/cert-manager/templates/webhook-validating-webhook.yaml
similarity index 100%
rename from deploy/prod-ovh/inflated/cert-manager/templates/webhook-validating-webhook.yaml
rename to deploy/cert-manager/inflated/cert-manager/templates/webhook-validating-webhook.yaml
diff --git a/deploy/cert-manager/kustomization.yaml b/deploy/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..ebd71a6
--- /dev/null
+++ b/deploy/cert-manager/kustomization.yaml
@@ -0,0 +1,22 @@
+---
+# Important: namePrefix must be blank.
+resources:
+# cert-manager:
+- inflated/cert-manager/templates/serviceaccount.yaml
+- inflated/cert-manager/templates/cainjector-service.yaml
+- inflated/cert-manager/templates/crds.yaml
+- inflated/cert-manager/templates/webhook-rbac.yaml
+- inflated/cert-manager/templates/deployment.yaml
+- inflated/cert-manager/templates/cainjector-serviceaccount.yaml
+- inflated/cert-manager/templates/webhook-serviceaccount.yaml
+- inflated/cert-manager/templates/webhook-mutating-webhook.yaml
+- inflated/cert-manager/templates/cainjector-deployment.yaml
+- inflated/cert-manager/templates/startupapicheck-rbac.yaml
+- inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml
+- inflated/cert-manager/templates/cainjector-rbac.yaml
+- inflated/cert-manager/templates/service.yaml
+- inflated/cert-manager/templates/webhook-service.yaml
+- inflated/cert-manager/templates/webhook-validating-webhook.yaml
+- inflated/cert-manager/templates/rbac.yaml
+- inflated/cert-manager/templates/startupapicheck-job.yaml
+- inflated/cert-manager/templates/webhook-deployment.yaml
diff --git a/deploy/prod-ovh/cert-ingress-tls.yaml b/deploy/prod-ovh/cert-ingress-tls.yaml
new file mode 100644
index 0000000..b21eb25
--- /dev/null
+++ b/deploy/prod-ovh/cert-ingress-tls.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ingress-tls
+  namespace: default
+spec:
+  secretName: prod-ingress-tls
+  issuerRef:
+    name: prod-letsencrypt
+    kind: ClusterIssuer
+  commonName: k3s.netflux.io
+  dnsNames:
+    - k3s.netflux.io
diff --git a/deploy/prod-ovh/clusterissuer.yaml b/deploy/prod-ovh/clusterissuer.yaml
new file mode 100644
index 0000000..07607ad
--- /dev/null
+++ b/deploy/prod-ovh/clusterissuer.yaml
@@ -0,0 +1,28 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: postmaster@netflux.io
+    privateKeySecretRef:
+      name: prod-letsencrypt
+    solvers:
+    # HTTP solver disabled for wildcard support.
+    # - http01:
+    #     ingress:
+    #       class: prod-nginx
+    - dns01:
+        route53:
+          region: eu-west-1
+          hostedZoneID: Z1OSEC2E6M9VER
+          accessKeyID: AKIARZPRT6YGHAENBEEX
+          secretAccessKeySecretRef:
+            # Using name reference transformers to manage this didn't work,
+            # possibly because ClusterIssuer is a cluster-scoped resource.
+            #
+            # For now, this secret should be provisioned manually in the
+            # cert-manager namespace:
+            name: prod-aws-credentials
+            key: secret
diff --git a/deploy/prod-ovh/ingress.yaml b/deploy/prod-ovh/ingress.yaml
index 6db16ab..3f0e75f 100644
--- a/deploy/prod-ovh/ingress.yaml
+++ b/deploy/prod-ovh/ingress.yaml
@@ -3,7 +3,6 @@ kind: Ingress
 metadata:
   name: ingress
   annotations:
-    cert-manager.io/cluster-issuer: prod-letsencrypt
     nginx.ingress.kubernetes.io/proxy-body-size: 50m
     nginx.ingress.kubernetes.io/server-snippet: |
       location = /robots.txt {
@@ -11,9 +10,20 @@ metadata:
         return 200 "User-agent: Amazonbot\nDisallow: /\n\nUser-agent: BLEXBot\nDisallow: /\n\nUser-agent: SemrushBot\nDisallow: /\n\nUser-agent: AhrefsBot\nDisallow: /\n\nUser-agent: DotBot\nDisallow: /\n\nUser-agent: MJ12bot\nDisallow: /\n\nUser-agent: PetalBot\nDisallow: /\n\nUser-agent: ImagesiftBot\nDisallow: /\n\nUser-agent: BingBot\nCrawl-delay: 30\n";
 
       }
+
 spec:
-  ingressClassName: prod-nginx
+  rules:
+  - host: k3s.netflux.io
+    http:
+      paths:
+      - path: /test
+        pathType: Prefix
+        backend:
+          service:
+            name: whoami
+            port:
+              number: 5678
   tls:
-    hosts:
+    - hosts:
       - k3s.netflux.io
-    secretName: prod-ingress-tls
+      secretName: prod-ingress-tls
diff --git a/deploy/prod-ovh/kustomization.yaml b/deploy/prod-ovh/kustomization.yaml
index a6aebeb..e8c520f 100644
--- a/deploy/prod-ovh/kustomization.yaml
+++ b/deploy/prod-ovh/kustomization.yaml
@@ -2,22 +2,6 @@
 namePrefix: prod-
 resources:
 - ../minimal-base
-# cert-manager:
-- inflated/cert-manager/templates/serviceaccount.yaml
-- inflated/cert-manager/templates/cainjector-service.yaml
-- inflated/cert-manager/templates/crds.yaml
-- inflated/cert-manager/templates/webhook-rbac.yaml
-- inflated/cert-manager/templates/deployment.yaml
-- inflated/cert-manager/templates/cainjector-serviceaccount.yaml
-- inflated/cert-manager/templates/webhook-serviceaccount.yaml
-- inflated/cert-manager/templates/webhook-mutating-webhook.yaml
-- inflated/cert-manager/templates/cainjector-deployment.yaml
-- inflated/cert-manager/templates/startupapicheck-rbac.yaml
-- inflated/cert-manager/templates/startupapicheck-serviceaccount.yaml
-- inflated/cert-manager/templates/cainjector-rbac.yaml
-- inflated/cert-manager/templates/service.yaml
-- inflated/cert-manager/templates/webhook-service.yaml
-- inflated/cert-manager/templates/webhook-validating-webhook.yaml
-- inflated/cert-manager/templates/rbac.yaml
-- inflated/cert-manager/templates/startupapicheck-job.yaml
-- inflated/cert-manager/templates/webhook-deployment.yaml
+- clusterissuer.yaml
+- cert-ingress-tls.yaml
+- ingress.yaml
diff --git a/deploy/whoami-deploy.yaml b/deploy/whoami-deploy.yaml
new file mode 100644
index 0000000..665ac7f
--- /dev/null
+++ b/deploy/whoami-deploy.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+spec:
+  selector:
+    matchLabels:
+      app: whoami
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami:v1.9.0
+          ports:
+            - containerPort: 80
+
diff --git a/deploy/whoami-svc.yaml b/deploy/whoami-svc.yaml
new file mode 100644
index 0000000..31d667a
--- /dev/null
+++ b/deploy/whoami-svc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5678
+      targetPort: 80
+  selector:
+    app: whoami
+