diff --git a/bootstrap/kustomizations/kustomization-letsencrypt-wildcard-cert.yaml b/bootstrap/kustomizations/kustomization-letsencrypt-wildcard-cert.yaml
new file mode 100644
index 0000000..0ba7283
--- /dev/null
+++ b/bootstrap/kustomizations/kustomization-letsencrypt-wildcard-cert.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: letsencrypt-wildcard-cert
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./letsencrypt-wildcard-cert
+  dependsOn:
+  - name: "cert-manager"
+  - name: "sealed-secrets"
+  prune: true # remove any elements later removed from the above path
+  timeout: 2m # if not set, this defaults to interval duration, which is 1h
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
diff --git a/bootstrap/namespaces/namespace-letsencrypt-wildcard-cert.yaml b/bootstrap/namespaces/namespace-letsencrypt-wildcard-cert.yaml
new file mode 100644
index 0000000..c402246
--- /dev/null
+++ b/bootstrap/namespaces/namespace-letsencrypt-wildcard-cert.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: letsencrypt-wildcard-cert
diff --git a/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-prod.yaml b/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-prod.yaml
new file mode 100644
index 0000000..126385e
--- /dev/null
+++ b/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-prod.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: michael@michaelthomson.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - selector:
+        dnsZones:
+          - "michaelthomson.dev"
+      dns01:
+        cloudflare:
+          email: michael@michaelthomson.dev
+          apiTokenSecretRef:
+            name: cloudflare-api-key
+            key: cloudflare_api_key
diff --git a/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-staging.yaml b/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-staging.yaml
new file mode 100644
index 0000000..fa07826
--- /dev/null
+++ b/letsencrypt-wildcard-cert/cluster-issuer-letsencrypt-staging.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: michael@michaelthomson.dev
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - selector:
+        dnsZones:
+          - "michaelthomson.dev"
+      dns01:
+        cloudflare:
+          email: michael@michaelthomson.dev
+          apiTokenSecretRef:
+            name: cloudflare-api-key
+            key: cloudflare_api_key