diff --git a/kube-prometheus-stack/dns-endpoint-prometheus.yaml b/kube-prometheus-stack/dns-endpoint-prometheus.yaml
new file mode 100644
index 0000000..c5fd0db
--- /dev/null
+++ b/kube-prometheus-stack/dns-endpoint-prometheus.yaml
@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: prometheus.michaelthomson.dev
+  namespace: kube-prometheus-stack
+spec:
+  endpoints:
+  - dnsName: prometheus.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev
diff --git a/kube-prometheus-stack/helmrelease-kube-prometheus-stack.yaml b/kube-prometheus-stack/helmrelease-kube-prometheus-stack.yaml
index 9f3a0f5..973ea5b 100644
--- a/kube-prometheus-stack/helmrelease-kube-prometheus-stack.yaml
+++ b/kube-prometheus-stack/helmrelease-kube-prometheus-stack.yaml
@@ -29,3 +29,16 @@ spec:
           - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
             hosts:
               - grafana.michaelthomson.dev
+    prometheus:
+      ingress:
+        enabled: true
+        annotations:
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+        - prometheus.michaelthomson.dev
+        path: /
+        tls:
+          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+            hosts:
+              - prometheus.michaelthomson.dev