diff --git a/05-default-gateway/templates/default-gateway.yaml b/05-default-gateway/templates/default-gateway.yaml
index 40f64cb..a7dbd4b 100644
--- a/05-default-gateway/templates/default-gateway.yaml
+++ b/05-default-gateway/templates/default-gateway.yaml
@@ -3,6 +3,8 @@ apiVersion: gateway.networking.k8s.io/v1
 metadata:
   name: http
   namespace: kgateway-system
+  annotations:
+    cert-manager.io/cluster-issuer: "cloudflare-cluster-issuer"
 spec:
   gatewayClassName: kgateway
   listeners:
@@ -12,3 +14,15 @@ spec:
     allowedRoutes:
       namespaces:
         from: All
+  - protocol: HTTPS
+    port: 443
+    name: https
+    hostname: "*.homelab-test.hnrx.net"
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+        mode: Terminate
+        certificateRefs:
+          - name: homelab-test-hnrx-net-tls
+
diff --git a/10-cloudflare-cluster-issuer/fleet.yaml b/10-cloudflare-cluster-issuer/fleet.yaml
new file mode 100644
index 0000000..03418b2
--- /dev/null
+++ b/10-cloudflare-cluster-issuer/fleet.yaml
@@ -0,0 +1,9 @@
+kind: Bundle
+metadata:
+  name: phase-secrets
+
+defaultNamespace: phase-secrets-operator
+
+dependsOn:
+  - name: fleet-base-setup-08-cert-manager
+  - name: fleet-base-setup-07-phase-secrets-operator
\ No newline at end of file
diff --git a/10-cloudflare-cluster-issuer/templates/cloudflare-cluster-issuer.yaml b/10-cloudflare-cluster-issuer/templates/cloudflare-cluster-issuer.yaml
new file mode 100644
index 0000000..ab74338
--- /dev/null
+++ b/10-cloudflare-cluster-issuer/templates/cloudflare-cluster-issuer.yaml
@@ -0,0 +1,37 @@
+apiVersion: secrets.phase.dev/v1alpha1
+kind: PhaseSecret
+metadata:
+  name: cloudflare-api-key-phase-secret
+  namespace: phase-secrets-operator
+spec:
+  phaseApp: 'cert-manager' # The name of your Phase application
+  phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
+  phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
+  phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
+  pollingInterval: 600 # OPTIONAL - Interval in seconds to poll for secret updates
+  authentication:
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
+        secretNamespace: 'phase-secrets-operator'
+  managedSecretReferences:
+    - secretName: 'cloudflare-api-key' # Name of the Kubernetes managed secret that Phase will sync
+      secretNamespace: 'cert-manager'
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-cluster-issuer
+spec:
+  acme:
+    email: matthias.hinrichs@me.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-key
+              key: CLOUDFLARE_API_KEY
\ No newline at end of file