diff --git a/clusters/yc-cps-prod/helm-repositories.yaml b/clusters/yc-cps-prod/helm-repositories.yaml
new file mode 100644
index 0000000..bbdeea6
--- /dev/null
+++ b/clusters/yc-cps-prod/helm-repositories.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: yc-oci-charts
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 10m0s
+  url: oci://cr.yandex/crp3ccidau046kdj8g9q/charts
+  secretRef:
+    name: yc-cr-auth
diff --git a/clusters/yc-cps-prod/infrastructure/kustomization.yaml b/clusters/yc-cps-prod/infrastructure/kustomization.yaml
new file mode 100644
index 0000000..9a4f017
--- /dev/null
+++ b/clusters/yc-cps-prod/infrastructure/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../infrastructure/vault
+  - ./vault-istio.yaml
+patches:
+  - path: ./patches/vault.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: vault
+      namespace: vault
diff --git a/clusters/yc-cps-prod/infrastructure/patches/vault.yaml b/clusters/yc-cps-prod/infrastructure/patches/vault.yaml
new file mode 100644
index 0000000..ab7e936
--- /dev/null
+++ b/clusters/yc-cps-prod/infrastructure/patches/vault.yaml
@@ -0,0 +1,12 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault
+  namespace: vault
+spec:
+  interval: 5m
+  timeout: 10m
+  values:
+    server:
+      dataStorage:
+        storageClass: yc-network-hdd
diff --git a/clusters/yc-cps-prod/infrastructure/vault-istio.yaml b/clusters/yc-cps-prod/infrastructure/vault-istio.yaml
new file mode 100644
index 0000000..db40b05
--- /dev/null
+++ b/clusters/yc-cps-prod/infrastructure/vault-istio.yaml
@@ -0,0 +1,61 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-cert
+  namespace: istio-system
+spec:
+  dnsNames:
+    - vault.infra.cps.sarex.io
+  duration: 2160h
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-issuer-istio
+  privateKey:
+    rotationPolicy: Always
+  renewBefore: 360h
+  secretName: vault-tls
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: vault-gateway
+  namespace: gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - hosts:
+        - vault.infra.cps.sarex.io
+      port:
+        name: https-443
+        number: 443
+        protocol: HTTPS
+      tls:
+        credentialName: vault-tls
+        mode: SIMPLE
+    - hosts:
+        - vault.infra.cps.sarex.io
+      port:
+        name: http-80
+        number: 80
+        protocol: HTTP
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: vault-virt-service
+  namespace: vault
+spec:
+  gateways:
+    - gateway/vault-gateway
+  hosts:
+    - vault.infra.cps.sarex.io
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: vault-vault-contour.vault.svc.cluster.local
+            port:
+              number: 8200
diff --git a/clusters/yc-cps-prod/kustomization.yaml b/clusters/yc-cps-prod/kustomization.yaml
new file mode 100644
index 0000000..a8384a3
--- /dev/null
+++ b/clusters/yc-cps-prod/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./flux-system
+  - ./helm-repositories.yaml
+  - ./infrastructure