diff --git a/k8s-peterg/argocd/httproute.yaml b/k8s-peterg/argocd/httproute.yaml
index 6609743..98a6820 100644
--- a/k8s-peterg/argocd/httproute.yaml
+++ b/k8s-peterg/argocd/httproute.yaml
@@ -8,9 +8,9 @@ spec:
   parentRefs:
     - name: internal
       namespace: kube-system
-      sectionName: http
+      sectionName: https
   hostnames:
-    - "argocd.k8s.peterg.nl"
+    - "argocd.peterg.nl"
   rules:
     - backendRefs:
         - name: argocd-server
diff --git a/k8s-peterg/argocd/patches/configmap.yaml b/k8s-peterg/argocd/patches/configmap.yaml
index c2a345a..61ead9d 100644
--- a/k8s-peterg/argocd/patches/configmap.yaml
+++ b/k8s-peterg/argocd/patches/configmap.yaml
@@ -16,6 +16,7 @@ data:
         issuer: $argocd-authentik-provider:dex.authentik.issuer
         clientID: $argocd-authentik-app:dex.authentik.clientID
         clientSecret: $argocd-authentik-app:dex.authentik.clientSecret
+        isecureEnableGroups: true
         scopes:
           - openid
           - profile
diff --git a/k8s-peterg/cilium/gateways.yaml b/k8s-peterg/cilium/gateways.yaml
index 61eb002..72e55a8 100644
--- a/k8s-peterg/cilium/gateways.yaml
+++ b/k8s-peterg/cilium/gateways.yaml
@@ -25,7 +25,7 @@ spec:
       tls:
         certificateRefs:
           - kind: Secret
-            name: selfsigned-cert-tls
+            name: tls-wildcard-peterg-nl
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
@@ -52,4 +52,4 @@ spec:
       tls:
         certificateRefs:
           - kind: Secret
-            name: selfsigned-cert-tls
+            name: tls-wildcard-peterg-nl
diff --git a/k8s-peterg/cilium/httproute.yaml b/k8s-peterg/cilium/httproute.yaml
index d93c08e..6795784 100644
--- a/k8s-peterg/cilium/httproute.yaml
+++ b/k8s-peterg/cilium/httproute.yaml
@@ -1,19 +1,19 @@
-# ---
-# apiVersion: gateway.networking.k8s.io/v1
-# kind: HTTPRoute
-# metadata:
-#   name: http-filter-redirect
-# spec:
-#   parentRefs:
-#   - name: shared
-#     sectionName: http
-#   - name: internal
-#     sectionName: http
-#   rules:
-#   - filters:
-#     - type: RequestRedirect
-#       requestRedirect:
-#         scheme: https
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-filter-redirect
+spec:
+  parentRefs:
+    - name: public
+      sectionName: http
+    - name: internal
+      sectionName: http
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -24,9 +24,9 @@ spec:
   parentRefs:
     - name: internal
       namespace: kube-system
-      sectionName: http
+      sectionName: https
   hostnames:
-    - "hubble.k8s.peterg.nl"
+    - "hubble.peterg.nl"
   rules:
     - backendRefs:
         - name: hubble-ui
diff --git a/k8s-peterg/external-secrets-operator/clustersecrets.yaml b/k8s-peterg/external-secrets-operator/clustersecrets.yaml
new file mode 100644
index 0000000..31537ae
--- /dev/null
+++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterExternalSecret
+metadata:
+  name: tls-wildcard-peterg-nl
+spec:
+  externalSecretName: tls-wildcard-peterg-nl
+  externalSecretSpec:
+    secretStoreRef:
+      name: 1password-wheatley 
+      kind: ClusterSecretStore
+    target:
+      name: tls-wildcard-peterg-nl
+      creationPolicy: Owner
+      template:
+        type: kubernetes.io/tls
+        data:
+          tls.crt: "{{ .crt }}"
+          tls.key: "{{ .key }}"
+    data:
+      - secretKey: key
+        remoteRef:
+          key: tls-wildcard-peterg-nl
+          property: key
+      - secretKey: crt
+        remoteRef:
+          key: tls-wildcard-peterg-nl 
+          property: crt