diff --git a/argocd/applications/tigera-operator.yaml b/argocd/applications/tigera-operator.yaml
new file mode 100644
index 0000000..6289fd5
--- /dev/null
+++ b/argocd/applications/tigera-operator.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tigera-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: tigera-operator
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: tigera-operator
+  syncPolicy:
+    # automated:
+    #   prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
+      - Force=true # `--force-conflicts`, according to https://docs.tigera.io/calico/latest/operations/upgrading/kubernetes-upgrade
diff --git a/tigera-operator/.gitignore b/tigera-operator/.gitignore
index e222e24..03bd412 100644
--- a/tigera-operator/.gitignore
+++ b/tigera-operator/.gitignore
@@ -1 +1 @@
-tigera-operator.yaml
+*.env
diff --git a/tigera-operator/README.md b/tigera-operator/README.md
index 82a455c..2227251 100644
--- a/tigera-operator/README.md
+++ b/tigera-operator/README.md
@@ -1,20 +1,10 @@
-# Calico
+# Calico (aka Tigera)
 
-Calico implements
-[container network interface plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)
-which enables inter-pod network with BGP, also advertising Service LB IPs.
+Calico implements [container network interface plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) which enables inter-pod network with BGP, also advertising Service LB IPs.
 
-# For user
-
-Nothing specific to point out, this is standard Kubernetes feature
-
-# For administrator
-
-Tigera operator was used to deploy Calico:
+Render and apply locally:
 
-```
-curl https://raw.githubusercontent.com/projectcalico/calico/v3.28.1/manifests/tigera-operator.yaml -O
-kubectl apply --server-side --force-conflicts -f tigera-operator.yaml
-kubectl apply -f application.yaml
-kubectl -n calico-system create secret generic bgp-secrets --from-literal=password=...
+```sh
+kustomize build . | kubectl diff -f-
+kustomize build . | kubectl apply --server-side --force-conflicts -f-
 ```
diff --git a/tigera-operator/bgp-secrets.env.example b/tigera-operator/bgp-secrets.env.example
new file mode 100644
index 0000000..371375e
--- /dev/null
+++ b/tigera-operator/bgp-secrets.env.example
@@ -0,0 +1,2 @@
+# Don't be a dummy by commiting renders with secrets
+password=
diff --git a/tigera-operator/application.yaml b/tigera-operator/custom-resources.yaml
similarity index 98%
rename from tigera-operator/application.yaml
rename to tigera-operator/custom-resources.yaml
index f0cdfbf..375d797 100644
--- a/tigera-operator/application.yaml
+++ b/tigera-operator/custom-resources.yaml
@@ -93,4 +93,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: calico-node
-  namespace: calico-system  
\ No newline at end of file
+  namespace: calico-system
diff --git a/tigera-operator/kustomization.yaml b/tigera-operator/kustomization.yaml
new file mode 100644
index 0000000..00f73c2
--- /dev/null
+++ b/tigera-operator/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://raw.githubusercontent.com/projectcalico/calico/v3.28.1/manifests/tigera-operator.yaml
+- ./custom-resources.yaml
+- ssh://git@git.k-space.ee/secretspace/kube/tigera-operator