diff --git a/kargo/kargo.yaml b/kargo/kargo.yaml
new file mode 100644
index 0000000..820ba14
--- /dev/null
+++ b/kargo/kargo.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kargo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kargo
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://kargo
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/kargo/kargo/cert-manager.yaml b/kargo/kargo/cert-manager.yaml
new file mode 100644
index 0000000..af1011a
--- /dev/null
+++ b/kargo/kargo/cert-manager.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: cert-manager
+  source:
+    chart: cert-manager
+    repoURL: https://charts.jetstack.io
+    targetRevision: 1.14.5
+    helm:
+      releaseName: cert-manager
+      valueFiles:
+        - values.yaml
+      values: |
+        installCRDs: true
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/kargo/kargo/kargo.yaml b/kargo/kargo/kargo.yaml
new file mode 100644
index 0000000..6bd107a
--- /dev/null
+++ b/kargo/kargo/kargo.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kargo
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kargo-helm
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kargo
+  source:
+    chart: kargo
+    repoURL: ghcr.io/akuity/kargo-charts
+    targetRevision: 1.0.3
+    helm:
+      parameters:
+      - name: api.ingress.tls.enabled
+        value: "false"
+      - name: api.tls.selfSignedCert
+        value: "true"
+      - name: api.secret.name
+        value: kargo-api
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kargo-api
+  namespace: kargo
+  annotations:
+    # We need the ingress to pass through ssl traffic to the vCluster
+    # This only works for the nginx-ingress (enable via --enable-ssl-passthrough
+    # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough )
+    # for other ingress controllers please check their respective documentation.
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: kargo.cnoe.localtest.me
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kargo-api
+                port:
+                  number: 443
+---
+apiVersion: v1
+data:
+  ADMIN_ACCOUNT_PASSWORD_HASH: JDJhJDEwJFpyaGhpZTR2THo1eWd0VlNhaWY2by5xTjM2amdzNnZqdE1CZE02eXJVMUZPZWlBQU1NeE9t
+  ADMIN_ACCOUNT_TOKEN_SIGNING_KEY: aXdpc2h0b3dhc2hteWlyaXNod3Jpc3R3YXRjaA==
+kind: Secret
+metadata:
+  labels:
+  name: kargo-api
+  namespace: kargo
+type: Opaque
\ No newline at end of file