diff --git a/apps/argocd-ingress/ingress.yaml b/apps/argocd-ingress/ingress.yaml
index d50cf11..b75c3e1 100644
--- a/apps/argocd-ingress/ingress.yaml
+++ b/apps/argocd-ingress/ingress.yaml
@@ -4,9 +4,15 @@ metadata:
   name: argocd-server-ingress
   namespace: argocd
   annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    cert-manager.io/cluster-issuer: letsencrypt-prod # <-- Zertifikat holen
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/service.serversscheme: https # <-- WICHTIG: Backend spricht HTTPS
 spec:
+  tls: # <-- Zertifikat speichern
+    - hosts:
+        - argocd.k3s.stabify.de
+      secretName: argocd-server-tls
   rules:
     - host: argocd.k3s.stabify.de
       http:
@@ -17,14 +23,4 @@ spec:
               service:
                 name: argocd-server
                 port:
-                  name: http
-    - host: argocd.k3s.sys.stabify.de # Alternative Domain falls gewünscht
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: argocd-server
-                port:
-                  name: http
+                  name: https # <-- Ändere Port Name auf https (Port 443 am Service)