diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 0aa6842..139f0ac 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -150,4 +150,4 @@ jobs:
           helm upgrade --install team-devoops infra/helm/team-devoops \
             --namespace "$NAMESPACE" \
             --set global.image.tag=${{ github.sha }} \
-            --wait --timeout 5m
+            --wait --timeout 10m
diff --git a/infra/helm/team-devoops/templates/ingress.yaml b/infra/helm/team-devoops/templates/ingress.yaml
index d7abe03..ba3d9b2 100644
--- a/infra/helm/team-devoops/templates/ingress.yaml
+++ b/infra/helm/team-devoops/templates/ingress.yaml
@@ -15,6 +15,9 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/use-regex: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
+    {{- if and $tls.enabled $tls.clusterIssuer }}
+    cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }}
+    {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
   {{- if $tls.enabled }}
@@ -50,6 +53,10 @@ metadata:
   name: team-devoops-plain
   labels:
     {{- include "team-devoops.labels" (dict "name" "ingress-plain" "root" $) | nindent 4 }}
+  {{- if and $tls.enabled $tls.clusterIssuer }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }}
+  {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
   {{- if $tls.enabled }}
diff --git a/infra/helm/team-devoops/values.yaml b/infra/helm/team-devoops/values.yaml
index 5ec0958..8ad83e9 100644
--- a/infra/helm/team-devoops/values.yaml
+++ b/infra/helm/team-devoops/values.yaml
@@ -45,8 +45,13 @@ ingress:
   className: nginx
   host: ge83mom-devops26.stud.k8s.aet.cit.tum.de
   tls:
-    enabled: false
-    secretName: ""
+    enabled: true
+    # Secret nginx serves the cert from. With cert-manager this is created
+    # automatically; otherwise it must reference a pre-existing TLS Secret.
+    secretName: team-devoops-tls
+    # cert-manager ClusterIssuer that issues the cert (TUM AET cluster).
+    # Adds the cert-manager.io/cluster-issuer annotation on the ingresses.
+    clusterIssuer: letsencrypt-prod
 
 # Default compute resources applied to every app container (overridable per service).
 resources: