diff --git a/kustomizations/cert-manager/cluster-issuer/issuer.yaml b/kustomizations/cert-manager/cluster-issuer/issuer.yaml
new file mode 100644
index 0000000..148fa51
--- /dev/null
+++ b/kustomizations/cert-manager/cluster-issuer/issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: ryan@distrust.co
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        digitalocean:
+          tokenSecretRef:
+            name: digitalocean
+            key: access-token
diff --git a/kustomizations/cert-manager/cluster-issuer/kustomization.yaml b/kustomizations/cert-manager/cluster-issuer/kustomization.yaml
new file mode 100644
index 0000000..aedc3c7
--- /dev/null
+++ b/kustomizations/cert-manager/cluster-issuer/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- issuer.yaml
+generators:
+- secret-generator.yaml
diff --git a/kustomizations/cert-manager/cluster-issuer/secret-generator.yaml b/kustomizations/cert-manager/cluster-issuer/secret-generator.yaml
new file mode 100644
index 0000000..ddbee24
--- /dev/null
+++ b/kustomizations/cert-manager/cluster-issuer/secret-generator.yaml
@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+files:
+- ../../digitalocean/digitalocean-config.enc.yaml
diff --git a/kustomizations/cert-manager/kustomization.yaml b/kustomizations/cert-manager/kustomization.yaml
index 143a554..605c130 100644
--- a/kustomizations/cert-manager/kustomization.yaml
+++ b/kustomizations/cert-manager/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 namespace: cert-manager
 resources:
 - https://github.com/james-callahan/cert-manager-kustomize?ref=b9560b4603bffac901c99d7d9d16e5e2a07e44d8
+- cluster-issuer
 - namespace.yaml
 replacements:
   - source: