diff --git a/clusters/cherry/apps/cert-manager.yaml b/clusters/cherry/apps/cert-manager.yaml
new file mode 100644
index 0000000..57e10b9
--- /dev/null
+++ b/clusters/cherry/apps/cert-manager.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cherry-cert-manager
+  namespace: argocd
+spec:
+  project: infrastructure
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  source:
+    chart: cert-manager
+    repoURL: https://charts.jetstack.io
+    targetRevision: 1.13.1
+    helm:
+      releaseName: cert-manager
+      valuesObject:
+        installCRDs: true
diff --git a/clusters/cherry/apps/cilium.yaml b/clusters/cherry/apps/cilium.yaml
new file mode 100644
index 0000000..0e9b622
--- /dev/null
+++ b/clusters/cherry/apps/cilium.yaml
@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cherry-cilium
+  namespace: argocd
+spec:
+  project: infrastructure
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kube-system
+  source:
+    chart: cilium
+    repoURL: https://helm.cilium.io/
+    targetRevision: 1.14.2
+    helm:
+      releaseName: cilium
+      valuesObject:
+        operator:
+          replicas: 1
+        # Needed to run ingress-nginx in hostPort mode
+        kubeProxyReplacement: true
+        k8sServiceHost: 172.16.140.1
+        k8sServicePort: 6443
+        hubble:
+          relay:
+            enabled: true
+          ui:
+            enabled: true
diff --git a/clusters/cherry/apps/ingress-nginx.yaml b/clusters/cherry/apps/ingress-nginx.yaml
new file mode 100644
index 0000000..5187736
--- /dev/null
+++ b/clusters/cherry/apps/ingress-nginx.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cherry-ingress-nginx
+  namespace: argocd
+spec:
+  project: infrastructure
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: ingress-nginx
+  source:
+    chart: ingress-nginx
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.8.0
+    helm:
+      releaseName: ingress-nginx
+      valuesObject:
+        # TODO: enable proxy protocol
+        controller:
+          kind: DaemonSet
+          service:
+            # TODO: use Service .spec.type: NodePort
+            type: ClusterIP
+          hostPort:
+            enabled: true