diff --git a/argocd/apps/cert-manager-issuer/cloudflare-secret-sealed.yaml b/argocd/apps/cert-manager-issuer/cloudflare-secret-sealed.yaml
new file mode 100644
index 0000000..568baf2
--- /dev/null
+++ b/argocd/apps/cert-manager-issuer/cloudflare-secret-sealed.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+spec:
+  encryptedData:
+    api-token: AgBlA9AARQWaWAFWsamZonGysHXQcs7Lajl/kuiikZoJjAZo0bOuOm0aqJVaIY/D3S0FvhylEjMQzPIu6dyVcb1bMKK1HidpisankCA3SCD6+U2AkOtnvnqXzTVyS85n+T+DVXZ0Ppnh9g5eYumP3oqt0brBs4Wp5G1rv1q2KAOBEev4mBKGy7rzWH9RKtSRKq1Lhbz/7s6c+ag5KhvQcXSOYJYq957SOhy4Y5FgUhzGaZ+cfDtXZfptNBQPs0feyNoqFym8t/yG+p8OqFrl4nf8GLM78JIc7Ny9SSdsKQbd7LSoHiS+jf7c0gs9Yg1G/6a1n9VPU2Ac7OumpOoG6CVmDooo1t/TnenHlXQbkoJk1h96Wk3Jo1oGcmElEMwKJEjuSjI7MsJsD5dc2sLfPtbQrjzRZHVHlcPLdK+F4WHXiEvr5BKZjTWrEd2JZsT0ZZO51XGTM7mXeR/kDfOKl4ODsmjZojbaxbweGVlxvyyFS3S0rfFrlw6eO5NYB67JDdzKiMqFrEgEHMzp+ej8w8Ma2TEVjg/WutTIGXji8pt3WIzD1OQQo+VM1Egm09Ld4GuyWYinWIwpATssff4Sg9mKxjEt3GVxmzmp9uTBP8uaOWqaRo7NAn2ciaVQZsl9dLU6vxxD1gh3E2dXe5I53NaxEXwkVLV0iJgAaTUY0ruum7UCDqRPmN1MvbMf37I13aWGhn6gNzfkFJyXmFcyThGJU34QUqiUjf/2ZOKjjn/qjT0837ky6FPCD7AqcMOIVzX0x8xt5QC9NQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: cloudflare-api-token-secret
+      namespace: cert-manager
+    type: Opaque
diff --git a/argocd/apps/cert-manager-issuer/clusterissuer.yaml b/argocd/apps/cert-manager-issuer/clusterissuer.yaml
new file mode 100644
index 0000000..121f7bd
--- /dev/null
+++ b/argocd/apps/cert-manager-issuer/clusterissuer.yaml
@@ -0,0 +1,24 @@
+# Filename: clusterissuer.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-cloudflare # Or choose a different name (e.g., staging)
+spec:
+  acme:
+    # --- Production Let's Encrypt ---
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # --- Staging Let's Encrypt (use for testing to avoid rate limits) ---
+    # server: https://acme-staging-v02.api.letsencrypt.org/directory
+
+    email: jayisjam@gmail.com # Replace with your email address
+    privateKeySecretRef:
+      name: letsencrypt-cloudflare-private-key
+
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              # This name MUST match the name of the Secret that Sealed Secrets will create
+              name: cloudflare-api-token-secret
+              # This key MUST match the key inside the Secret's data
+              key: api-token
\ No newline at end of file
diff --git a/argocd/argocd-app-cert-manager-issuer.yaml b/argocd/argocd-app-cert-manager-issuer.yaml
new file mode 100644
index 0000000..913742e
--- /dev/null
+++ b/argocd/argocd-app-cert-manager-issuer.yaml
@@ -0,0 +1,45 @@
+# Filename: argocd-app-cert-manager-issuer.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-clusterissuer-cloudflare
+  namespace: argocd # The namespace where Argo CD runs
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default # Or your specific Argo CD project name
+
+  source:
+    repoURL: 'https://git.james-mellors.com/mello/cert-manager.git' # Replace with your Git repository URL
+    path: 'argocd/apps/cert-manager-issuer'  # Replace with the path to your SEALED secret and ClusterIssuer manifests
+    targetRevision: main # Or 'main', 'master', a specific tag, or commit hash
+
+  destination:
+    server: 'https://kubernetes.default.svc' # Target cluster URL (use this for in-cluster)
+    # The namespace where the *final decrypted* Secret needs to exist,
+    # matching the namespace in the SealedSecret metadata.
+    namespace: cert-manager
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true # Ensures the cert-manager namespace exists
+      # Optional: Might be needed if the controller adds annotations/labels
+      # - RespectIgnoreDifferences=true
+    # Optional: Ignore fields modified by the Sealed Secrets controller
+    # ignoreDifferences:
+    # - group: bitnami.com
+    #   kind: SealedSecret
+    #   jsonPointers:
+    #   - /metadata/annotations
+    #   - /metadata/creationTimestamp
+    #   - /metadata/generation
+    #   - /metadata/resourceVersion
+    #   - /metadata/uid
+
+  # IMPORTANT DEPENDENCY:
+  # Ensure the Sealed Secrets controller is running and healthy *before* this
+  # application syncs, otherwise the SealedSecret won't be unsealed.
+  # If you manage Sealed Secrets via Argo CD, consider using Sync Waves or App of Apps patterns.
\ No newline at end of file