diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1219c00..6101276 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.2] - 2026-05-16
+
+### Fixed
+
+- Fixed `tokio-rt-worker` panic on startup when the Kubernetes Ingress watcher
+  opened its first TLS connection to the apiserver
+  (`Could not automatically determine the process-level CryptoProvider from
+  Rustls crate features`). With `kube` and `redis` features both pulling in
+  rustls 0.23 alongside `aws-lc-rs` and `ring`, rustls refuses to auto-select a
+  provider; the gateway now installs `rustls::crypto::ring` as the process
+  default at the top of `main()` before any TLS client is constructed.
+
 ## [1.0.1] - 2026-05-15
 
 ### Fixed
diff --git a/Cargo.lock b/Cargo.lock
index da10999..793105b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -8,7 +8,7 @@ version = "0.2.1"
 
 [[package]]
 name = "a3s-gateway"
-version = "1.0.1"
+version = "1.0.2"
 dependencies = [
  "a3s-acl",
  "a3s-updater",
diff --git a/Cargo.toml b/Cargo.toml
index 71bff58..9039154 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "a3s-gateway"
-version = "1.0.1"
+version = "1.0.2"
 edition = "2021"
 rust-version = "1.88"
 authors = ["A3S Lab"]
diff --git a/deploy/helm/a3s-gateway/Chart.yaml b/deploy/helm/a3s-gateway/Chart.yaml
index 4375772..b147997 100644
--- a/deploy/helm/a3s-gateway/Chart.yaml
+++ b/deploy/helm/a3s-gateway/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: a3s-gateway
 description: A3S Gateway — high-performance HTTP/TCP/UDP reverse proxy
 type: application
-version: 1.0.0
-appVersion: "1.0.0"
+version: 1.0.2
+appVersion: "1.0.2"
diff --git a/src/main.rs b/src/main.rs
index ea53e1a..24c9d83 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -141,6 +141,11 @@ struct ManagementApiArgs {
 
 #[tokio::main]
 async fn main() -> a3s_gateway::Result<()> {
+    // rustls 0.23 with both `aws-lc-rs` and `ring` in the dep graph refuses to
+    // auto-pick a CryptoProvider; install `ring` explicitly so kube-rs/reqwest
+    // TLS clients don't panic on first use.
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
     let cli = Cli::parse();
 
     // Handle update subcommand early