diff --git a/changelog.d/2-features/inbucket-tls-and-basic-auth b/changelog.d/2-features/inbucket-tls-and-basic-auth
new file mode 100644
index 0000000000..27ad9c766e
--- /dev/null
+++ b/changelog.d/2-features/inbucket-tls-and-basic-auth
@@ -0,0 +1 @@
+Add TLS and basic authentication to the inbucket (fake webmailer) ingress.
diff --git a/charts/inbucket/templates/basic-auth-secret.yaml b/charts/inbucket/templates/basic-auth-secret.yaml
new file mode 100644
index 0000000000..9918cbb716
--- /dev/null
+++ b/charts/inbucket/templates/basic-auth-secret.yaml
@@ -0,0 +1,15 @@
+{{- if (hasKey .Values "basicAuthSecret") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: inbucket-basic-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "inbucket.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "inbucket.chart" . }}
+type: Opaque
+data:
+  auth: {{ .Values.basicAuthSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/inbucket/templates/cert.yaml b/charts/inbucket/templates/cert.yaml
new file mode 100644
index 0000000000..3d6996212f
--- /dev/null
+++ b/charts/inbucket/templates/cert.yaml
@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "letsencrypt-inbucket-csr"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations:
+    # The issuer changes when it's configured to use staging or prod ACME
+    # servers.
+    checksum/issuer: {{ include (print .Template.BasePath "/issuer.yaml") . | sha256sum }}
+spec:
+  issuerRef:
+    name: letsencrypt-inbucket
+    kind: Issuer
+  usages:
+    - server auth
+  duration: 2160h     # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
+  renewBefore: 360h   # 15d
+  isCA: false
+  secretName: letsencrypt-inbucket-secret
+
+  privateKey:
+    algorithm: ECDSA
+    size: 384         # 521 is not supported by Letsencrypt
+    encoding: PKCS1
+    rotationPolicy: Always
+
+  dnsNames:
+    - {{ .Values.host }}
diff --git a/charts/inbucket/templates/ingress.yaml b/charts/inbucket/templates/ingress.yaml
index c2803b4e00..1866c5fc6a 100644
--- a/charts/inbucket/templates/ingress.yaml
+++ b/charts/inbucket/templates/ingress.yaml
@@ -10,7 +10,18 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     helm.sh/chart: {{ include "inbucket.chart" . }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+{{- if (hasKey .Values "basicAuthSecret") }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: inbucket-basic-auth
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - inbucket'
+{{- end }}
 spec:
+  tls:
+    - hosts:
+        - {{ required "must specify host" .Values.host | quote }}
+      secretName: letsencrypt-inbucket-secret
   rules:
     - host: {{ required "must specify host" .Values.host | quote }}
       http:
diff --git a/charts/inbucket/templates/issuer.yaml b/charts/inbucket/templates/issuer.yaml
new file mode 100644
index 0000000000..d3f1d1bc94
--- /dev/null
+++ b/charts/inbucket/templates/issuer.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-inbucket
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "inbucket.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "inbucket.chart" . }}
+spec:
+  acme:
+{{- if .Values.useStagingACMEServer }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+{{- else }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+{{- end }}
+    # Email address used for ACME registration
+    email: {{ required "must specify certManager.certmasterEmail" .Values.certManager.certmasterEmail | quote }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-inbucket-key
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class:  nginx
diff --git a/charts/inbucket/values.yaml b/charts/inbucket/values.yaml
index 3bff990c7e..4a15cfa1ab 100644
--- a/charts/inbucket/values.yaml
+++ b/charts/inbucket/values.yaml
@@ -11,3 +11,12 @@ inbucket:
     INBUCKET_WEB_GREETINGFILE: "/config/greeting.html"
     INBUCKET_MAILBOXNAMING: full
     INBUCKET_STORAGE_RETENTIONPERIOD: "72h"
+
+# The production ACME server of let's encrypt has a very strict rate limiting
+# and bans for weeks. Better try with the staging ACME server first.
+useStagingACMEServer: true
+
+# Enables and configures HTTP Basic Auth secret as e.g. created with
+# `htpasswd -bc auth username password`.
+#
+# basicAuthSecret: username:$apr1$3jXFMMZX$z6OOf4eUn1wU.NYJt246u1