diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml
index 0839fc28..36520b57 100644
--- a/cluster/apps/kustomization.yaml
+++ b/cluster/apps/kustomization.yaml
@@ -7,4 +7,5 @@ resources:
   - kube-system
   - networking
   - harbor
-  - ttrss
\ No newline at end of file
+  - ttrss
+  - simplebookmarks-staging
diff --git a/cluster/apps/simplebookmarks-staging/Makefile b/cluster/apps/simplebookmarks-staging/Makefile
new file mode 100644
index 00000000..85222b2e
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/Makefile
@@ -0,0 +1,11 @@
+.PHONY: generate-registry-secret
+
+all: generate-registry-secret
+
+SECRET_DOMAIN = $(shell sops -d --extract '["stringData"]["SECRET_DOMAIN"]' ../../base/cluster-secrets.sops.yaml)
+SECRET_DOCKER_USERNAME = $(shell sops -d --extract '["stringData"]["SECRET_SIMPLEBOOKMARKS_DOCKER_USERNAME"]' ../../base/cluster-secrets.sops.yaml)
+SECRET_DOCKER_PASSWORD = $(shell sops -d --extract '["stringData"]["SECRET_SIMPLEBOOKMARKS_DOCKER_PASSWORD"]' ../../base/cluster-secrets.sops.yaml)
+SECRET_DOCKER_EMAIL = $(shell sops -d --extract '["stringData"]["SECRET_SIMPLEBOOKMARKS_DOCKER_EMAIL"]' ../../base/cluster-secrets.sops.yaml)
+
+generate-registry-secret:
+	kubectl create secret docker-registry docker-registry-harbor --docker-server=harbor.$(SECRET_DOMAIN)/simplebookmarks --docker-username=$(SECRET_DOCKER_USERNAME) --docker-password=$(SECRET_DOCKER_PASSWORD) --docker-email=$(SECRET_DOCKER_EMAIL) --dry-run=client -o yaml > ./docker-secret.yaml
diff --git a/cluster/apps/simplebookmarks-staging/certificate.yaml b/cluster/apps/simplebookmarks-staging/certificate.yaml
new file mode 100644
index 00000000..b4d56834
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tls-staging-api
+  namespace: simplebookmarks-staging
+spec:
+  commonName: api.staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}
+  secretName: tls-staging-api
+  dnsNames:
+    - api.staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
diff --git a/cluster/apps/simplebookmarks-staging/docker-secret.yaml b/cluster/apps/simplebookmarks-staging/docker-secret.yaml
new file mode 100644
index 00000000..7d6d924a
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/docker-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuZGhvc3RpbmcueHl6L3NpbXBsZWJvb2ttYXJrcyI6eyJ1c2VybmFtZSI6InNpbXBsZWJvb2ttYXJrcyIsInBhc3N3b3JkIjoiYmdOeVFCQm1xdFRkMjNGY0p3WVVYa21sYXJuZGZ2MFgiLCJlbWFpbCI6ImR2ZF9sQGhvdG1haWwuY29tIiwiYXV0aCI6ImMybHRjR3hsWW05dmEyMWhjbXR6T21KblRubFJRa0p0Y1hSVVpESXpSbU5LZDFsVldHdHRiR0Z5Ym1SbWRqQlkifX19
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: docker-registry-harbor
+type: kubernetes.io/dockerconfigjson
diff --git a/cluster/apps/simplebookmarks-staging/kustomization.yaml b/cluster/apps/simplebookmarks-staging/kustomization.yaml
new file mode 100644
index 00000000..1f63f162
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - docker-secret.yaml
+  - certificate.yaml
+  - route.yaml
+  - oauth2-proxy-helm-release.yaml
+namespace: simplebookmarks-staging
diff --git a/cluster/apps/simplebookmarks-staging/oauth2-proxy-helm-release.yaml b/cluster/apps/simplebookmarks-staging/oauth2-proxy-helm-release.yaml
new file mode 100644
index 00000000..afa81d93
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/oauth2-proxy-helm-release.yaml
@@ -0,0 +1,77 @@
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: oauth2-proxy
+  namespace: simplebookmarks-staging
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://oauth2-proxy.github.io/manifests
+      chart: oauth2-proxy
+      version: 5.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: oauth2-proxy
+        namespace: flux-system
+      interval: 5m
+  values:
+    # Oauth client configuration specifics
+    config:
+      # OAuth client ID
+      clientID: "${SECRET_SIMPLEBOOKMARKS_STAGING_OAUTH_CLIENT_ID}"
+      # OAuth client secret
+      clientSecret: "${SECRET_SIMPLEBOOKMARKS_STAGING_OAUTH_CLIENT_SECRET}"
+      # Create a new secret with the following command
+      # openssl rand -base64 32 | head -c 32 | base64
+      # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
+      # Example:
+      # existingSecret: secret
+      cookieSecret: "${SECRET_SIMPLEBOOKMARKS_STAGING_OAUTH_COOKIE_SECRET}"
+      # The name of the cookie that oauth2-proxy will create
+      # If left empty, it will default to the release name
+      cookieName: ""
+      configFile: |-
+        http_address="0.0.0.0:4180"
+        provider="oidc"
+        redirect_url="https://staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}/oauth2/callback"
+        oidc_issuer_url="${SECRET_SIMPLEBOOKMARKS_OAUTH_ISSUER_URL}"
+        oidc_jwks_url="${SECRET_SIMPLEBOOKMARKS_OAUTH_ISSUER_URL}.well-known/openid-configuration"
+        profile_url="${SECRET_SIMPLEBOOKMARKS_OAUTH_ISSUER_URL}userinfo"
+        cookie_domains=[
+          ".staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}"
+        ]
+        upstreams = [
+          "http://simplebookmarks-staging-api.simplebookmarks-staging.svc"
+        ]
+        pass_access_token="true"
+        pass_authorization_header="true"
+        skip_provider_button="true"
+        email_domains="*"
+        whitelist_domains=[
+          "staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}"
+        ]
+        # set the ID Token in the headers of the responses
+        # useful to retrieve it from the frontend
+        set_authorization_header="true"
+
+    metrics:
+      # Enable Prometheus metrics endpoint
+      enabled: true
+      # Serve Prometheus metrics on this port
+      port: 44180
+      servicemonitor:
+        # Enable Prometheus Operator ServiceMonitor
+        enabled: false
+        # Define the namespace where to deploy the ServiceMonitor resource
+        namespace: ""
+        # Prometheus Instance definition
+        prometheusInstance: default
+        # Prometheus scrape interval
+        interval: 60s
+        # Prometheus scrape timeout
+        scrapeTimeout: 30s
+        # Add custom labels to the ServiceMonitor resource
+        labels: {}
diff --git a/cluster/apps/simplebookmarks-staging/route.yaml b/cluster/apps/simplebookmarks-staging/route.yaml
new file mode 100644
index 00000000..1b398a34
--- /dev/null
+++ b/cluster/apps/simplebookmarks-staging/route.yaml
@@ -0,0 +1,19 @@
+---
+## Route going to oauth2-proxy service
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: staging-api
+  namespace: simplebookmarks-staging
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`api.staging.${SECRET_SIMPLEBOOKMARKS_DOMAIN}`)
+      priority: 10
+      services:
+        - name: oauth2-proxy
+          port: 80
+  tls:
+    secretName: tls-staging-api
diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml
index e2f4b7df..41dfb8b1 100644
--- a/cluster/charts/kustomization.yaml
+++ b/cluster/charts/kustomization.yaml
@@ -14,4 +14,5 @@ resources:
   - traefik.yaml
   - weaveworks-kured.yaml
   - nfs-subdir-external-provisioner.yaml
-  - harbor.yaml
\ No newline at end of file
+  - harbor.yaml
+  - oauth2-proxy.yaml
\ No newline at end of file
diff --git a/cluster/charts/oauth2-proxy.yaml b/cluster/charts/oauth2-proxy.yaml
new file mode 100644
index 00000000..640fd0f5
--- /dev/null
+++ b/cluster/charts/oauth2-proxy.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: oauth2-proxy
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://oauth2-proxy.github.io/manifests
+  timeout: 3m
diff --git a/cluster/core/namespaces/argocd.yaml b/cluster/core/namespaces/argocd.yaml
new file mode 100644
index 00000000..42add95e
--- /dev/null
+++ b/cluster/core/namespaces/argocd.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd
diff --git a/cluster/core/namespaces/kustomization.yaml b/cluster/core/namespaces/kustomization.yaml
index 94a03216..54b6c289 100644
--- a/cluster/core/namespaces/kustomization.yaml
+++ b/cluster/core/namespaces/kustomization.yaml
@@ -8,4 +8,7 @@ resources:
   - system-upgrade.yaml
   - nfs-provisioner.yaml
   - harbor.yaml
-  - ttrss.yaml
\ No newline at end of file
+  - ttrss.yaml
+  - argocd.yaml
+  - simplebookmarks-production.yaml
+  - simplebookmarks-staging.yaml
diff --git a/cluster/core/namespaces/simplebookmarks-production.yaml b/cluster/core/namespaces/simplebookmarks-production.yaml
new file mode 100644
index 00000000..2a06c20b
--- /dev/null
+++ b/cluster/core/namespaces/simplebookmarks-production.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simplebookmarks-production
diff --git a/cluster/core/namespaces/simplebookmarks-staging.yaml b/cluster/core/namespaces/simplebookmarks-staging.yaml
new file mode 100644
index 00000000..8885c2cc
--- /dev/null
+++ b/cluster/core/namespaces/simplebookmarks-staging.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simplebookmarks-staging