diff --git a/auth/keycloak.yaml b/auth/keycloak.yaml
index f585cc3..c9fd9ff 100644
--- a/auth/keycloak.yaml
+++ b/auth/keycloak.yaml
@@ -171,3 +171,73 @@ spec:
               key: postgresql-password
       ingress:
         enabled: false
+---
+# Keycloak SSL Certificate
+apiVersion: kubernetes.crossplane.io/v1alpha2
+kind: Object
+metadata:
+  name: keycloak-certificate
+  namespace: crossplane-system
+spec:
+  providerConfigRef:
+    name: kubernetes-provider
+  forProvider:
+    manifest:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keycloak-tls
+        namespace: emissary
+      spec:
+        secretName: keycloak-tls
+        issuerRef:
+          name: letsencrypt-dns
+          kind: ClusterIssuer
+        dnsNames:
+          - auth.nge6.com
+---
+# Keycloak Ambassador Host
+apiVersion: kubernetes.crossplane.io/v1alpha2
+kind: Object
+metadata:
+  name: keycloak-host
+  namespace: crossplane-system
+spec:
+  providerConfigRef:
+    name: kubernetes-provider
+  forProvider:
+    manifest:
+      apiVersion: getambassador.io/v3alpha1
+      kind: Host
+      metadata:
+        name: keycloak-host
+        namespace: emissary
+        annotations:
+          external-dns.ambassador-service: emissary-ingress.emissary.svc.cluster.local
+      spec:
+        hostname: auth.nge6.com
+        tlsSecret:
+          name: keycloak-tls
+---
+# Keycloak Ambassador Mapping
+apiVersion: kubernetes.crossplane.io/v1alpha2
+kind: Object
+metadata:
+  name: keycloak-mapping
+  namespace: crossplane-system
+spec:
+  providerConfigRef:
+    name: kubernetes-provider
+  forProvider:
+    manifest:
+      apiVersion: getambassador.io/v3alpha1
+      kind: Mapping
+      metadata:
+        name: keycloak-mapping
+        namespace: emissary
+      spec:
+        hostname: auth.nge6.com
+        prefix: /
+        service: keycloak-http.auth-system:80
+        timeout_ms: 30000
+        connect_timeout_ms: 10000