diff --git a/manifests/apiservice.yaml b/manifests/apiservice.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b8de961a148f81c7072bc18c366c7dd91ac20d25
--- /dev/null
+++ b/manifests/apiservice.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.cert-manager-webhook-rwth.thomas.fsmpi.eu
+  annotations:
+    cert-manager.io/inject-ca-from: >-
+      cert-manager/cert-manager-webhook-rwth-webhook-tls
+spec:
+  group: cert-manager-webhook-rwth.thomas.fsmpi.eu
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+  version: v1alpha1
diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..68b5a264a9fddb7de5bd846aed1583d441868a2a
--- /dev/null
+++ b/manifests/deployment.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+spec:
+  selector:
+    matchLabels:
+      app: cert-manager-webhook-rwth
+  template:
+    metadata: {}
+    spec:
+      serviceAccountName: cert-manager-webhook-rwth
+      containers:
+        - name: cert-manager-webhook-rwth
+          image: >-
+            registry.git.fsmpi.rwth-aachen.de/thomas/cert-manager-webhook-rwth:latest
+          args:
+            - --tls-cert-file=/tls/tls.crt
+            - --tls-private-key-file=/tls/tls.key
+            - --secure-port=8443
+            - --v=2  # log level
+          securityContext:
+            runAsUser: 65534
+          ports:
+            - name: https
+              containerPort: 8443
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /healthz
+              port: https
+          volumeMounts:
+            - name: certs
+              mountPath: /tls
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: cert-manager-webhook-rwth-webhook-tls
diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3a167f9c0828e3b21be5ef14c2d77c8d55073f81
--- /dev/null
+++ b/manifests/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: cert-manager-webhook-rwth
+
+resources:
+  - apiservice.yaml
+  - deployment.yaml
+  - pki.yaml
+  - rbac.yaml
+  - service.yaml
diff --git a/manifests/pki.yaml b/manifests/pki.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..eb915bf7a78c0139cb938d1e53ca30741b903966
--- /dev/null
+++ b/manifests/pki.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-rwth-selfsign
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-rwth-ca
+  namespace: cert-manager
+spec:
+  secretName: cert-manager-webhook-rwth-ca
+  duration: 8760h  # 1y
+  issuerRef:
+    name: cert-manager-webhook-rwth-selfsign
+  commonName: ca.cert-manager-webhook-rwth.cert-manager
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cert-manager-webhook-rwth-ca
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: cert-manager-webhook-rwth-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert-manager-webhook-rwth-webhook-tls
+  namespace: cert-manager
+spec:
+  secretName: cert-manager-webhook-rwth-webhook-tls
+  duration: 720h  # 30d
+  issuerRef:
+    name: cert-manager-webhook-rwth-ca
+  dnsNames:
+    - cert-manager-webhook-rwth
+    - cert-manager-webhook-rwth.cert-manager
+    - cert-manager-webhook-rwth.cert-manager.svc
diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2dc5cb4fda89ef2cbbdeab0f864af4bd266cc3ae
--- /dev/null
+++ b/manifests/rbac.yaml
@@ -0,0 +1,120 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:webhook-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-rwth:domain-solver
+rules:
+  - apiGroups:
+      - cert-manager-webhook-rwth.thomas.fsmpi.eu
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:domain-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-rwth:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-rwth:secret-reader
+  namespace: cert-manager
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - rwthdns-apikey
+    verbs:
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-rwth:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+rules:
+  - apiGroups:
+      - flowcontrol.apiserver.k8s.io
+    resources:
+      - prioritylevelconfigurations
+      - flowschemas
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-webhook-rwth:flowcontrol-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rwth
+    namespace: cert-manager
diff --git a/manifests/service.yaml b/manifests/service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e9b94c4acdfdca3bd2dd280246cf999b2b96a606
--- /dev/null
+++ b/manifests/service.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook-rwth
+  namespace: cert-manager
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: https
+      name: https
+  selector:
+    app: cert-manager-webhook-rwth