diff --git a/cmd/webhook.go b/cmd/webhook.go
index dd6317c4..35c09865 100644
--- a/cmd/webhook.go
+++ b/cmd/webhook.go
@@ -173,8 +173,6 @@ Supported registries:
 	webhookCmd.Flags().DurationVar(&cfg.CheckInterval, "interval", env.GetDurationVal("IMAGE_UPDATER_INTERVAL", 2*time.Minute), "interval for how often to check for updates")
 	webhookCmd.Flags().StringVar(&cfg.LogLevel, "loglevel", env.GetStringVal("IMAGE_UPDATER_LOGLEVEL", "info"), "set the loglevel to one of trace|debug|info|warn|error")
 	webhookCmd.Flags().StringVar(&kubeConfig, "kubeconfig", "", "full path to kubernetes client configuration, i.e. ~/.kube/config")
-	webhookCmd.Flags().IntVar(&cfg.HealthPort, "health-port", 8080, "port to start the health server on, 0 to disable")
-	webhookCmd.Flags().IntVar(&cfg.MetricsPort, "metrics-port", 8081, "port to start the metrics server on, 0 to disable")
 	webhookCmd.Flags().StringVar(&cfg.RegistriesConf, "registries-conf-path", defaultRegistriesConfPath, "path to registries configuration file")
 	webhookCmd.Flags().BoolVar(&disableKubernetes, "disable-kubernetes", false, "do not create and use a Kubernetes client")
 	webhookCmd.Flags().IntVar(&cfg.MaxConcurrency, "max-concurrency", 10, "maximum number of update threads to run concurrently")
@@ -190,7 +188,7 @@ Supported registries:
 	webhookCmd.Flags().StringVar(&commitMessagePath, "git-commit-message-path", defaultCommitTemplatePath, "Path to a template to use for Git commit messages")
 	webhookCmd.Flags().BoolVar(&cfg.DisableKubeEvents, "disable-kube-events", env.GetBoolVal("IMAGE_UPDATER_KUBE_EVENTS", false), "Disable kubernetes events")
 
-	webhookCmd.Flags().IntVar(&webhookCfg.Port, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8082, 0, 65535), "Port to listen on for webhook events")
+	webhookCmd.Flags().IntVar(&webhookCfg.Port, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8080, 0, 65535), "Port to listen on for webhook events")
 	webhookCmd.Flags().StringVar(&webhookCfg.DockerSecret, "docker-webhook-secret", env.GetStringVal("DOCKER_WEBHOOK_SECRET", ""), "Secret for validating Docker Hub webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.GHCRSecret, "ghcr-webhook-secret", env.GetStringVal("GHCR_WEBHOOK_SECRET", ""), "Secret for validating GitHub Container Registry webhooks")
 	webhookCmd.Flags().StringVar(&webhookCfg.QuaySecret, "quay-webhook-secret", env.GetStringVal("QUAY_WEBHOOK_SECRET", ""), "Secret for validating Quay webhooks")
diff --git a/manifests/base/deployment/argocd-image-updater-deployment.yaml b/manifests/base/deployment/argocd-image-updater-deployment.yaml
index 851795fe..c139a25c 100644
--- a/manifests/base/deployment/argocd-image-updater-deployment.yaml
+++ b/manifests/base/deployment/argocd-image-updater-deployment.yaml
@@ -113,6 +113,42 @@ spec:
               name: argocd-image-updater-config
               key: log.level
               optional: true
+        - name: ENABLE_WEBHOOK
+          valueFrom:
+              configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.enable
+                optional: true
+        - name: WEBHOOK_PORT
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-config
+                key: webhook.port
+                optional: true
+        - name: QUAY_WEBHOOK_SECRET
+          valueFrom:
+            configMapKeyRef:
+                name: argocd-image-updater-secret
+                key: webhook.quay-secret
+                optional: true
+        - name: DOCKER_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: argocd-image-updater-secret
+              key: webhook.docker-secret
+              optional: true
+        - name: GHCR_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: argocd-image-updater-secret
+              key: webhook.ghcr-secret
+              optional: true
+        - name: HARBOR_WEBHOOK_SECRET
+          valueFrom:
+              secretKeyRef:
+                name: argocd-image-updater-secret
+                key: webhook.harbor-secret
+                optional: true
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/manifests/base/networking/argocd-image-updater-ingress.yaml b/manifests/base/networking/argocd-image-updater-ingress.yaml
new file mode 100644
index 00000000..9bfc1636
--- /dev/null
+++ b/manifests/base/networking/argocd-image-updater-ingress.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-image-updater-ingress
+spec:
+  rules:
+  - host: cluster.host
+    http:
+      paths:
+      - path: /webhook
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-image-updater-service
+            port:
+              number: 8080
+      - path: /healthz
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-image-updater-service
+            port:
+              number: 8080
diff --git a/manifests/base/networking/argocd-image-updater-service.yaml b/manifests/base/networking/argocd-image-updater-service.yaml
new file mode 100644
index 00000000..c89844d7
--- /dev/null
+++ b/manifests/base/networking/argocd-image-updater-service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: argocd-image-updater-service
+spec:
+  selector:
+    app.kubernetes.io/name: argocd-image-updater
+  type: NodePort
+  ports:
+  - name: server-port
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
diff --git a/manifests/base/networking/kustomization.yaml b/manifests/base/networking/kustomization.yaml
new file mode 100644
index 00000000..7c550ba5
--- /dev/null
+++ b/manifests/base/networking/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- argocd-image-updater-ingress.yaml
+- argocd-image-updater-service.yaml
diff --git a/manifests/install.yaml b/manifests/install.yaml
index 170d153a..de8fc475 100644
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -221,6 +221,42 @@ spec:
               key: log.level
               name: argocd-image-updater-config
               optional: true
+        - name: ENABLE_WEBHOOK
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.enable
+              name: argocd-image-updater-config
+              optional: true
+        - name: WEBHOOK_PORT
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.port
+              name: argocd-image-updater-config
+              optional: true
+        - name: QUAY_WEBHOOK_SECRET
+          valueFrom:
+            configMapKeyRef:
+              key: webhook.quay-secret
+              name: argocd-image-updater-secret
+              optional: true
+        - name: DOCKER_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: webhook.docker-secret
+              name: argocd-image-updater-secret
+              optional: true
+        - name: GHCR_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: webhook.ghcr-secret
+              name: argocd-image-updater-secret
+              optional: true
+        - name: HARBOR_WEBHOOK_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: webhook.harbor-secret
+              name: argocd-image-updater-secret
+              optional: true
         image: quay.io/argoprojlabs/argocd-image-updater:latest
         imagePullPolicy: Always
         livenessProbe: