diff --git a/api/v1/store.go b/api/v1/store.go
index 2c6a25c..1c72ec7 100644
--- a/api/v1/store.go
+++ b/api/v1/store.go
@@ -99,6 +99,9 @@ type NetworkSpec struct {
 	IngressClassName string            `json:"ingressClassName,omitempty"`
 	Annotations      map[string]string `json:"annotations,omitempty"`
 	Labels           map[string]string `json:"labels,omitempty"`
+
+	// +kubebuilder:default=store-tls
+	TLSSecretName string `json:"tlsSecretName,omitempty"`
 }
 
 type ContainerSpec struct {
diff --git a/internal/ingress/ingress.go b/internal/ingress/ingress.go
index a420fff..efb6767 100644
--- a/internal/ingress/ingress.go
+++ b/internal/ingress/ingress.go
@@ -33,6 +33,16 @@ func GetStoreIngress(
 func StoreIngress(store *v1.Store) *networkingv1.Ingress {
 	pathType := networkingv1.PathTypePrefix
 
+	var tls []networkingv1.IngressTLS
+	if store.Spec.Network.TLSSecretName != "" {
+		tls = append(tls, networkingv1.IngressTLS{
+			Hosts: []string{
+				store.Spec.Network.Host,
+			},
+			SecretName: store.Spec.Network.TLSSecretName,
+		})
+	}
+
 	return &networkingv1.Ingress{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
@@ -102,14 +112,7 @@ func StoreIngress(store *v1.Store) *networkingv1.Ingress {
 					},
 				},
 			},
-			TLS: []networkingv1.IngressTLS{
-				{
-					Hosts: []string{
-						store.Spec.Network.Host,
-					},
-					SecretName: GetTLSStoreSecretName(store),
-				},
-			},
+			TLS: tls,
 		},
 	}
 }
@@ -117,7 +120,3 @@ func StoreIngress(store *v1.Store) *networkingv1.Ingress {
 func GetStoreIngressName(store *v1.Store) string {
 	return fmt.Sprintf("store-%s", store.Name)
 }
-
-func GetTLSStoreSecretName(store *v1.Store) string {
-	return fmt.Sprintf("store-tls-%s", store.Name)
-}