diff --git a/helm-charts/stage/templates/ingress.yaml b/helm-charts/stage/templates/ingress.yaml
index 35db9f7..386bf95 100644
--- a/helm-charts/stage/templates/ingress.yaml
+++ b/helm-charts/stage/templates/ingress.yaml
@@ -4,6 +4,10 @@ metadata:
   name: {{ include "stage.fullname" . }}
   labels:
     {{- include "stage.labels" . | nindent 4 }}
+  annotations:
+    {{- if .Values.ingress.tls.issuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.issuer}}
+    {{- end}}
 spec:
   {{- with .Values.ingress.className }}
   ingressClassName: {{ . }}
@@ -18,6 +22,12 @@ spec:
                 name: {{ include "stage.fullname" $ }}
                 port:
                   number: {{ $.Values.service.port }}
-      {{- if .Values.ingress.hostname }}  
+  {{- if .Values.ingress.hostname }}  
       host: {{ .Values.ingress.hostname | quote }}
-      {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.hostname | quote }}
+      secretName: {{ include "stage.fullname" . }}-cert
+  {{- end }}
+  {{- end }}
diff --git a/helm-charts/stage/values.yaml b/helm-charts/stage/values.yaml
index b2dd4bf..e530842 100644
--- a/helm-charts/stage/values.yaml
+++ b/helm-charts/stage/values.yaml
@@ -46,6 +46,9 @@ service:
 ingress:
   className: ""
   # hostname: "ontime.example.com"
+  tls:
+    enabled: false
+    issuer: ''
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious