diff --git a/patch.yaml b/patch.yaml
new file mode 100644
--- /dev/null
+++ b/patch.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+  namespace: pomerium
+spec:
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          image: pomerium/ingress-controller:sha-dd49d67
+          volumeMounts:
+            - mountPath: /data/autocert
+              name: autocert
+            - mountPath: /.local
+              name: autocert
+      volumes:
+        - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-proxy
+  namespace: pomerium
+spec:
+  externalIPs:
+  # this would be the fastest if we're running on ditto
+    - 10.5.0.7
+  # prime forwards to this
+    - 10.5.0.1
+  # local dns picks this
+    - 10.2.0.1
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pomerium-gen-secrets
+  namespace: pomerium
+spec:
+  template:
+    spec:
+      containers:
+      - name: gen-secrets
+        image: pomerium/ingress-controller:sha-dd49d67