diff --git a/gitops/README.md b/gitops/README.md
index 2ae4042..6eaacf0 100644
--- a/gitops/README.md
+++ b/gitops/README.md
@@ -54,6 +54,8 @@ Helm 3.19 may return empty content for `.Files.Get` on Windows; this chart uses
 
 Enable `ingress.enabled` and set `ingress.host` (and optional TLS). Traffic is sent to Service **`revproxy`** (internal nginx). On k3s, `ingress.className: traefik` matches the default controller.
 
+For **cert-manager**, set `ingress.tls: true`, `ingress.tlsSecretName`, and `ingress.certManager.clusterIssuer` (e.g. `letsencrypt-prod`). Ensure a **DNS A/CNAME** for `ingress.host` points to your ingress before the ACME challenge runs.
+
 ## Not migrated in this chart
 
 - **Edge proxy stack** (`app/proxy/docker-compose.yml`, host 80/443 Swarm mode) — replaced for K8s by this **Ingress** + `revproxy`; optional **cert-manager** for TLS at the Ingress.
diff --git a/gitops/charts/onelab/templates/ingress.yaml b/gitops/charts/onelab/templates/ingress.yaml
index fcb0b64..b2acd41 100644
--- a/gitops/charts/onelab/templates/ingress.yaml
+++ b/gitops/charts/onelab/templates/ingress.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- include "onelab.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/sync-wave: {{ .Values.syncWaves.apps | quote }}
+    {{- if .Values.ingress.certManager.clusterIssuer }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certManager.clusterIssuer | quote }}
+    {{- end }}
     {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
diff --git a/gitops/charts/onelab/values.yaml b/gitops/charts/onelab/values.yaml
index 438f501..34f5e35 100644
--- a/gitops/charts/onelab/values.yaml
+++ b/gitops/charts/onelab/values.yaml
@@ -97,6 +97,9 @@ ingress:
   annotations: {}
   tls: false
   tlsSecretName: ""
+  certManager:
+    # When set, adds cert-manager.io/cluster-issuer annotation (TLS secret is created automatically).
+    clusterIssuer: ""
 
 # Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map)
 replicas:
diff --git a/gitops/values/k3s-example.yaml b/gitops/values/k3s-example.yaml
index 5bd4819..7d092b8 100644
--- a/gitops/values/k3s-example.yaml
+++ b/gitops/values/k3s-example.yaml
@@ -23,8 +23,8 @@ postgresql:
     password: "DBPasswordPlaceholder"
 
 onelab:
-  # Match how users reach the UI (Ingress host); use https:// when ingress.tls is true.
-  domain: "http://onelab.local"
+  # Public URL (must match ingress host + scheme).
+  domain: "https://onelab.k8s.selair.it"
   secrets:
     authTokenKey: "TokenAuthPlaceholder"
     monitoringToken: "TokenMonitoringPlaceholder"
@@ -40,11 +40,12 @@ revproxy:
 ingress:
   enabled: true
   className: traefik
-  # Set DNS or /etc/hosts to this host pointing at your ingress (e.g. worker external IP or LB).
-  host: onelab.local
+  host: onelab.k8s.selair.it
   path: /
   pathType: Prefix
+  tls: true
+  # cert-manager writes the certificate into this Secret in the release namespace
+  tlsSecretName: onelab-tls-k8s-selair
+  certManager:
+    clusterIssuer: letsencrypt-prod
   annotations: {}
-  tls: false
-  # tls: true
-  # tlsSecretName: onelab-tls   # create with cert-manager or kubectl