diff --git a/kube/02-roles.yaml b/00-defs/02-roles.yaml
rename from kube/02-roles.yaml
rename to 00-defs/02-roles.yaml
--- a/kube/02-roles.yaml
+++ b/00-defs/02-roles.yaml
@@ -122,4 +122,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: pomerium-gen-secrets
-  namespace: pomerium
\ No newline at end of file
+  namespace: pomerium
diff --git a/20-kube/20-pom-deploy.yaml b/20-kube/20-pom-deploy.yaml
--- a/20-kube/20-pom-deploy.yaml
+++ b/20-kube/20-pom-deploy.yaml
@@ -1,49 +1,3 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  namespace: pomerium
-  name: autocert-data
-spec:
-  storageClassName: ""
-  volumeName: "autocert-data"
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: pomerium
-  name: pomerium-metrics
-  namespace: pomerium
-spec:
-  ports:
-    - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
-  selector: { app.kubernetes.io/name: pomerium }
-  type: ClusterIP
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: pomerium
-  name: pomerium-proxy
-  namespace: pomerium
-spec:
-  ports:
-    - { name: https, port: 443, protocol: TCP, targetPort: https }
-    - { name: http, port: 80, protocol: TCP, targetPort: http }
-  selector: { app.kubernetes.io/name: pomerium }
-  type: LoadBalancer
-  externalIPs:
-  # prime forwards to this
-    - 10.5.0.1
-  # local dns picks this
-    - 10.2.0.1
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/kube/05-idp-secret.yaml b/kube/05-idp-secret.yaml
deleted file mode 100644
--- a/kube/05-idp-secret.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: idp
-  namespace: pomerium
-type: Opaque
-stringData:
-  
\ No newline at end of file
diff --git a/kube/60-auth-cert.yaml b/kube/60-auth-cert.yaml
deleted file mode 100644
--- a/kube/60-auth-cert.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: pomerium-proxy-tls
-  namespace: pomerium
-spec:
-  dnsNames:
-  - 'authenticate.bigasterisk.com'
-  issuerRef:
-    kind: Issuer
-    name: letsencrypt-prod
-  secretName: pomerium-proxy-tls
\ No newline at end of file