diff --git a/.gitignore b/.gitignore
index fe9276ec6..c606e1506 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@ mybinder/requirements.lock
 docs/_build
 travis/crypt-key
 env
+
+.vscode/
diff --git a/config/staging.yaml b/config/staging.yaml
index 00930ee4c..be9376b49 100644
--- a/config/staging.yaml
+++ b/config/staging.yaml
@@ -12,6 +12,11 @@ binderhub:
     hosts:
       - gke.staging.mybinder.org
       - gke2.staging.mybinder.org
+    tls:
+      - secretName: certmanager-tls-binder-staging
+        hosts:
+          - gke.staging.mybinder.org
+          - gke2.staging.mybinder.org
 
   jupyterhub:
     singleuser:
diff --git a/mybinder/requirements.yaml b/mybinder/requirements.yaml
index f36d34631..6f683c002 100644
--- a/mybinder/requirements.yaml
+++ b/mybinder/requirements.yaml
@@ -11,6 +11,9 @@ dependencies:
  - name: kube-lego
    version: 0.4.2
    repository: https://kubernetes-charts.storage.googleapis.com
+ - name: cert-manager
+   repository: https://charts.jetstack.io
+   version: v0.10.0
  - name: binderhub
    version: 0.2.0-889380c
    repository: https://jupyterhub.github.io/helm-chart
diff --git a/mybinder/templates/_helpers.tpl b/mybinder/templates/_helpers.tpl
new file mode 100644
index 000000000..d2a4f867b
--- /dev/null
+++ b/mybinder/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mybinder.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mybinder.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mybinder.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/mybinder/templates/clusterissuer.yaml b/mybinder/templates/clusterissuer.yaml
new file mode 100644
index 000000000..5f13b8b5e
--- /dev/null
+++ b/mybinder/templates/clusterissuer.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: prod
+  labels:
+    helm.sh/chart: {{ include "mybinder.chart" . }}
+    app.kubernetes.io/name: {{ include "mybinder.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.letsencrypt.contactEmail }}
+    privateKeySecretRef:
+      name: mybinder-prod-acme-key
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: staging
+  labels:
+    helm.sh/chart: {{ include "mybinder.chart" . }}
+    app.kubernetes.io/name: {{ include "mybinder.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: {{ .Values.letsencrypt.contactEmail }}
+    privateKeySecretRef:
+      name: mybinder-staging-acme-key
+    http01: {}
diff --git a/mybinder/templates/gcs-proxy/ingress.yaml b/mybinder/templates/gcs-proxy/ingress.yaml
index d353118c2..797140eda 100644
--- a/mybinder/templates/gcs-proxy/ingress.yaml
+++ b/mybinder/templates/gcs-proxy/ingress.yaml
@@ -28,4 +28,4 @@ spec:
       {{- range $bucket := .Values.gcsProxy.buckets }}
       - {{ $bucket.host }}
       {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/mybinder/templates/matomo/ingress.yaml b/mybinder/templates/matomo/ingress.yaml
index 20dbf7fb5..e6b4cfd02 100644
--- a/mybinder/templates/matomo/ingress.yaml
+++ b/mybinder/templates/matomo/ingress.yaml
@@ -27,4 +27,4 @@ spec:
       {{ range $host := .Values.matomo.ingress.hosts }}
       - {{ $host }}
       {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/mybinder/values.yaml b/mybinder/values.yaml
index beddd8cba..223f246cc 100644
--- a/mybinder/values.yaml
+++ b/mybinder/values.yaml
@@ -138,6 +138,7 @@ binderhub:
     enabled: true
     annotations:
       kubernetes.io/ingress.class: nginx
+      kubernetes.io/tls-acme: "true"
     https:
       enabled: true
       type: kube-lego
@@ -319,6 +320,9 @@ kube-lego:
   image:
     tag: 0.1.7
 
+letsencrypt:
+  contactEmail: yuvipanda@gmail.com
+
 grafana:
   ingress:
     enabled: true