diff --git a/apps/production/cert-manager/kustomization.yaml b/apps/production/cert-manager/kustomization.yaml
index e95818b..60957ff 100644
--- a/apps/production/cert-manager/kustomization.yaml
+++ b/apps/production/cert-manager/kustomization.yaml
@@ -4,5 +4,7 @@ kind: Kustomization
 namespace: cert-manager
 resources:
   - namespace.yaml
-  - certificates/*.yaml
+  - certificates/fascinated-cc.yaml
+  - certificates/local-fascinated-cc.yaml
+  - certificates/mcutils-xyz.yaml
   - issuers.yaml
diff --git a/apps/production/traefik/kustomization.yaml b/apps/production/traefik/kustomization.yaml
index 32d350d..53595d5 100644
--- a/apps/production/traefik/kustomization.yaml
+++ b/apps/production/traefik/kustomization.yaml
@@ -4,6 +4,4 @@ kind: Kustomization
 namespace: traefik-production
 resources:
   - namespace.yaml
-  - rbac.yaml
   - traefik.yaml
-  - service.yaml
diff --git a/apps/production/traefik/rbac.yaml b/apps/production/traefik/rbac.yaml
deleted file mode 100644
index aa9c97c..0000000
--- a/apps/production/traefik/rbac.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-ingress-controller
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-    verbs:
-      - get
-      - list
-      - watch
-
----
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  name: traefik-ingress-controller
-  namespace: traefik
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-ingress-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-ingress-controller
-subjects:
-  - kind: ServiceAccount
-    name: traefik-ingress-controller
-    namespace: traefik
diff --git a/apps/production/traefik/service.yaml b/apps/production/traefik/service.yaml
deleted file mode 100644
index 56a089e..0000000
--- a/apps/production/traefik/service.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik
-  labels:
-    app.kubernetes.io/instance: traefik
-    app.kubernetes.io/name: traefik
-spec:
-  selector:
-    app.kubernetes.io/instance: traefik
-    app.kubernetes.io/name: traefik
-  type: LoadBalancer
-  loadBalancerIP: 10.0.69.250
-  ports:
-    - port: 80
-      name: web
-      targetPort: web
-      protocol: TCP
-    - port: 443
-      name: websecure
-      targetPort: websecure
-      protocol: TCP
diff --git a/apps/production/traefik/traefik.yaml b/apps/production/traefik/traefik.yaml
index d13764c..d154f02 100644
--- a/apps/production/traefik/traefik.yaml
+++ b/apps/production/traefik/traefik.yaml
@@ -1,66 +1,96 @@
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRepository
 metadata:
   name: traefik
-  labels:
-    app.kubernetes.io/instance: traefik
-    app.kubernetes.io/name: traefik
+  namespace: traefik-production
 spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: traefik
-        app.kubernetes.io/instance: traefik
+  interval: 1m0s
+  url: https://helm.traefik.io/traefik---
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik-production
+spec:
+  chart:
     spec:
-      serviceAccountName: traefik-ingress-controller
-      terminationGracePeriodSeconds: 60
-      containers:
-        - name: traefik
-          image: traefik:3.1.4
-          args:
-            - "--entryPoints.web.address=:8000/tcp"
-            - "--entryPoints.websecure.address=:8443/tcp"
-            - "--ping=true"
-            - "--global.sendanonymoususage=false"
-            - "--global.checknewversion=false"
-            - "--serversTransport.insecureSkipVerify=true"
-            - "--log.level=INFO"
-            - "--providers.kubernetescrd"
-            - "--providers.kubernetescrd.allowCrossNamespace=true"
-            - "--providers.kubernetescrd.allowExternalNameServices=true"
-            - "--providers.kubernetesingress.allowCrossNamespace=true"
-            - "--providers.kubernetesingress.allowExternalNameServices=true"
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: 9000
-            failureThreshold: 1
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 2
+      chart: traefik
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+      version: 31.1.1
+  interval: 1m0s
+  releaseName: traefik
+  targetNamespace: default
+  valuesFrom:
+    - kind: Secret
+      name: traefik-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: traefik-secret
+  namespace: traefik-production
+stringData:
+  values.yaml: |
+    globalArguments:
+      - "--global.sendanonymoususage=false"
+      - "--global.checknewversion=false"
 
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: 9000
-            failureThreshold: 3
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 2
+    additionalArguments:
+      - "--serversTransport.insecureSkipVerify=true"
+      - "--log.level=INFO"
+      - "--providers.kubernetescrd.allowCrossNamespace=true"
 
-          ports:
-            - name: web
-              containerPort: 8000
-              protocol: TCP
+    deployment:
+      enabled: true
+      replicas: 1
+      annotations: {}
+      podAnnotations: {}
+      additionalContainers: []
+      initContainers: []
 
-            - name: websecure
-              containerPort: 8443
-              protocol: TCP
+    ports:
+      web:
+        redirectTo:
+          port: websecure
+          priority: 10
+      websecure:
+        # http3:
+        #   enabled: true
+        # advertisedPort: 4443
+        tls:
+          enabled: true
+
+    ingressRoute:
+      dashboard:
+        enabled: false
+
+    providers:
+      kubernetesCRD:
+        enabled: true
+        ingressClass: traefik-external
+        allowExternalNameServices: true
+        allowCrossNamespace: true
+      kubernetesIngress:
+        enabled: true
+        allowExternalNameServices: true
+        allowCrossNamespace: true
+        publishedService:
+          enabled: false
+
+    rbac:
+      enabled: true
+
+    service:
+      enabled: true
+      type: LoadBalancer
+      annotations: {}
+      labels: {}
+      spec:
+        loadBalancerIP: 10.0.69.250 # this should be an IP in the MetalLB range
+      loadBalancerSourceRanges: []
+      externalIPs: []