diff --git a/infrastructure/nginx-ingress/nginx-ingress.libsonnet b/infrastructure/nginx-ingress/nginx-ingress.libsonnet
index 8822f79..da2331b 100644
--- a/infrastructure/nginx-ingress/nginx-ingress.libsonnet
+++ b/infrastructure/nginx-ingress/nginx-ingress.libsonnet
@@ -10,15 +10,23 @@ local k = (import '../../prelude.libsonnet');
       loadBalancerIP: error 'you need a static loadbalancer ip (public IP for external, internal IP for internal)',
       internalSubnetAzure: null,
       replicas: 2,
+      defaultTlsCertificate: null,
     },
     // end_config
   },
 
   newNginxIngress(config={}):: manifest {
 
+
     local this = self,
     local cfg = $._config.nginxingress + config,
 
+    // https://github.com/google/jsonnet/issues/234#issuecomment-275489855
+    local join(a) =
+      local notNull(i) = i != null;
+      local maybeFlatten(acc, i) = if std.type(i) == "array" then acc + i else acc + [i];
+      std.foldl(maybeFlatten, std.filter(notNull, a), []),
+
     'service-ingress-nginx-controller'+: if cfg.type == 'external' then {
       spec+: {
         loadBalancerIP: cfg.loadBalancerIP,
@@ -40,7 +48,10 @@ local k = (import '../../prelude.libsonnet');
           spec+: {
             containers: [
               super.containers[0] {
-                args: super.args + ['--watch-ingress-without-class'],
+                args: join([super.args, 
+                  '--watch-ingress-without-class', 
+                  if cfg.defaultTlsCertificate != null then ['--default-ssl-certificate='+cfg.defaultTlsCertificate]
+                ]),
               },
             ] + super.containers[1:],
           },