diff --git a/apps/base/mastodon/ca.yaml b/apps/base/mastodon/ca.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1ed78ee37ec2dd384527886d751f2282c2f29e3b
--- /dev/null
+++ b/apps/base/mastodon/ca.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: namespace-ca
+  namespace: mastodon
+spec:
+  isCA: true
+  commonName: namespace-ca
+  secretName: namespace-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-cluster-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: namespace-ca-issuer
+  namespace: mastodon
+spec:
+  ca:
+    secretName: namespace-ca
diff --git a/apps/base/mastodon/database.yaml b/apps/base/mastodon/database.yaml
index 7e3c2eff0b8e7aef346c201e05309f85c29744c6..bf30e08429de96916913efa9105c610fbb466929 100644
--- a/apps/base/mastodon/database.yaml
+++ b/apps/base/mastodon/database.yaml
@@ -23,3 +23,25 @@ spec:
     limits:
       cpu: "1"
       memory: 3072Mi
+  spiloFSGroup: 103
+  tls:
+    secretName: "mastodon-postgres-tls"
+    caSecretName: "namespace-ca"
+    caFile: "ca.crt"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mastodon-postgres
+  namespace: mastodon
+spec:
+  secretName: mastodon-postgres-tls
+  dnsNames:
+    - mastodon-postgres.mastodon.svc.cluster.local
+    - mastodon-postgres.mastodon.svc
+  issuerRef:
+    name: namespace-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  usages:
+    - server auth
diff --git a/apps/base/mastodon/kustomization.yaml b/apps/base/mastodon/kustomization.yaml
index 417087c82a4cd466af06036e5a8dd95fac5b066b..aa2cd27d2cc49ddc114a85eced763cf71acbf201 100644
--- a/apps/base/mastodon/kustomization.yaml
+++ b/apps/base/mastodon/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 namespace: mastodon
 resources:
   - namespace.yaml
+  - ca.yaml
   - repository.yaml
   - release.yaml
   - database.yaml
diff --git a/apps/base/mastodon/release.yaml b/apps/base/mastodon/release.yaml
index 6b278a965ab0c6cdc39e44b9c0bf530da390290d..89c738c6aa9811fe5e6af10de6fb074fc73767e0 100644
--- a/apps/base/mastodon/release.yaml
+++ b/apps/base/mastodon/release.yaml
@@ -35,6 +35,37 @@ spec:
       optional: false
   postRenderers:
     - kustomize:
+        patchesJson6902:
+          - target:
+              group: apps
+              version: v1
+              kind: Deployment
+              name: mastodon-streaming
+            patch:
+              - op: add
+                path: /spec/template/spec/containers/0/env/-
+                value:
+                  name: NODE_EXTRA_CA_CERTS
+                  value: /ca/ca.crt
+              - op: add
+                path: /spec/template/spec/containers/0/volumeMounts
+                value: []
+              - op: add
+                path: /spec/template/spec/containers/0/volumeMounts/-
+                value:
+                  name: namespace-ca-cert
+                  mountPath: "/ca/"
+                  readOnly: true
+              - op: add
+                path: /spec/template/spec/volumes
+                value: []
+              - op: add
+                path: /spec/template/spec/volumes/-
+                value:
+                  name: namespace-ca-cert
+                  secret:
+                    secretName: namespace-ca
+                    optional: false
         patchesStrategicMerge:
           - kind: Service
             apiVersion: v1