diff --git a/infra/vault/templates/ingress.yaml b/infra/vault/templates/ingress.yaml
new file mode 100644
index 0000000..406263a
--- /dev/null
+++ b/infra/vault/templates/ingress.yaml
@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`vault.infra.durp.info`)
+    kind: Rule
+    services:
+    - name: vault
+      port: 8200
+      scheme: https
+  tls:
+    secretName: vault-tls