diff --git a/apps/plex/deployment.yaml b/apps/plex/deployment.yaml
new file mode 100644
index 0000000..8c8af9c
--- /dev/null
+++ b/apps/plex/deployment.yaml
@@ -0,0 +1,69 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment.json
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy-plex
+  labels:
+    app.kubernetes.io/name: envoy-plex
+    app.kubernetes.io/instance: plex-media-server
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: envoy-plex
+      app.kubernetes.io/instance: plex-media-server
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: envoy-plex
+        app.kubernetes.io/instance: plex-media-server
+    spec:
+      terminationGracePeriodSeconds: 30
+      enableServiceLinks: false
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      securityContext:
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      hostIPC: false
+      hostNetwork: false
+      hostPID: false
+      volumes:
+      - name: envoy-yaml
+        configMap:
+          name: envoy-yaml
+      - name: plex-tls
+        secret:
+          secretName: plex-swifthomelab-net
+      containers:
+      - name: envoy-plex
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+        image: envoyproxy/envoy:v1.32.3@sha256:fb9c862d8089316eaae35d661d32ecedb21228ce0376b7dd7f52db2239e440c9
+        ports:
+        - name: https
+          containerPort: 8443
+          protocol: TCP
+        volumeMounts:
+        - name: envoy-yaml
+          mountPath: /etc/envoy/envoy.yaml
+          subPath: envoy.yaml
+        - name: plex-tls
+          subPath: tls.crt
+          mountPath: /etc/ssl/certs/plex_chain.crt
+        - name: plex-tls
+          subPath: tls.key
+          mountPath: /etc/ssl/certs/plex.key
+      restartPolicy: Always
diff --git a/apps/plex/service.yaml b/apps/plex/service.yaml
index d0e36a1..00f7933 100644
--- a/apps/plex/service.yaml
+++ b/apps/plex/service.yaml
@@ -8,8 +8,6 @@ metadata:
     app.kubernetes.io/name: plex-media-server
     app.kubernetes.io/instance: plex-media-server
   namespace: plex-media-server
-  annotations:
-    projectcontour.io/upstream-protocol.tls: "32400"
 spec:
   type: NodePort
   ports:
@@ -21,3 +19,24 @@ spec:
   selector:
     app.kubernetes.io/name: plex-media-server
     app.kubernetes.io/instance: plex-media-server
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/service-v1.json
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy-plex-ingress
+  labels:
+    app.kubernetes.io/name: envoy-plex
+    app.kubernetes.io/instance: plex-media-server
+  namespace: cert-manager
+spec:
+  type: NodePort
+  ports:
+  - port: 8443
+    targetPort: 8443
+    nodePort: 31443
+    protocol: TCP
+    name: https
+  selector:
+    app.kubernetes.io/name: envoy-plex
+    app.kubernetes.io/instance: plex-media-server