diff --git a/README.md b/README.md
index bd917fb456dab00e370590aa6ffa60fe42deebe0..84c1c17465179ccf1d715a5b1d777bf7475c60de 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,20 @@ SIGNER_ADDR=https://{{SIGNER_ADDRESS}} go test
 
 [Dependencies](go.mod)
 
+## Deployment
+
+### Helm
+
+#### Istio intergration
+
+Optional Istio integration is done the following way in the `values.yaml` file:
+
+```yaml
+istio:
+  injection:
+    pod: true
+```
+
 ## License
 
 [Apache 2.0 license](LICENSE)
diff --git a/deployment/helm/.helmignore b/deployment/helm/.helmignore
new file mode 100644
index 0000000000000000000000000000000000000000..898df48862b94319e7d688373d5768d01a6a0e1f
--- /dev/null
+++ b/deployment/helm/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
diff --git a/deployment/helm/Chart.yaml b/deployment/helm/Chart.yaml
index e8bebd2c9b2e245435f56ea6c9aa2cf028259432..eea70dbb91a4149d7dd21363cec961751713380d 100644
--- a/deployment/helm/Chart.yaml
+++ b/deployment/helm/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion:  v1.0.7
+appVersion:  v1.1.1
 description: signer deployment
 name: signer
-version: 1.0.7
+version: 1.1.1
diff --git a/deployment/helm/templates/_helpers.tpl b/deployment/helm/templates/_helpers.tpl
index 6955ccba19a0e68b2918305e46546f4741fea0aa..a0429b991bf4a4f03bc16fe02ed5f309017ff4c4 100644
--- a/deployment/helm/templates/_helpers.tpl
+++ b/deployment/helm/templates/_helpers.tpl
@@ -40,6 +40,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
 {{/*
+Istio labels
+*/}}
+{{- define "app.istioLabels" -}}
+{{- if ((.Values.istio).injection).pod -}}
+sidecar.istio.io/inject: "true"
+{{- else if eq (((.Values.istio).injection).pod) false -}}
+sidecar.istio.io/inject: "false"
+{{- end -}}
+{{- end -}}
+{{/*
+
 Selector labels
 */}}
 {{- define "app.selectorLabels" -}}
diff --git a/deployment/helm/templates/argocd/argo-application.yaml b/deployment/helm/templates/argocd/argo-application.yaml
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git a/deployment/helm/templates/argocd/argo-project.yaml b/deployment/helm/templates/argocd/argo-project.yaml
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git a/deployment/helm/templates/deployment.yaml b/deployment/helm/templates/deployment.yaml
index 4ea1a708c1380cdc92c110dc2f1545ce5b3dffd9..21e82c0ef7d3929c9f2c3d0b0c5d706e155b5476 100644
--- a/deployment/helm/templates/deployment.yaml
+++ b/deployment/helm/templates/deployment.yaml
@@ -7,6 +7,7 @@ metadata:
     {{- include "app.labels" . | nindent 4 }}
     app.kubernetes.io/instance: {{ include "app.revision" . }}
     app.kubernetes.io/part-of: rse
+    {{ include "app.istioLabels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
@@ -54,10 +55,16 @@ spec:
             value: {{ .Values.signer.vault.addr | quote }}
           {{- if .Values.signer.vault.token }}
           - name: VAULT_TOKEN
-            value: {{ .Values.signer.vault.token | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.token.secretName }}
+                key: {{ .Values.signer.vault.token.key }}
           {{- end }}
           - name: VAULT_SIGNING_KEY
-            value: {{ .Values.signer.vault.key.signing | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.signer.vault.key.signing.secretName }}
+                key: {{ .Values.signer.vault.key.signing.key }}
           - name: VAULT_SUPPORTED_KEYS
             value: {{ .Values.signer.vault.key.supported | quote }}
           - name: CREDENTIAL_ISSUER
diff --git a/deployment/helm/templates/istio/autorization-rules.yaml b/deployment/helm/templates/istio/autorization-rules.yaml
deleted file mode 100644
index 9800b2de4c0401fd41c2a49ca842cfd7cb905a38..0000000000000000000000000000000000000000
--- a/deployment/helm/templates/istio/autorization-rules.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# templates/istio/authorization-rules.yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: { { include "my_chart.name" . } }
-      app.kubernetes.io/instance: { { .Release.Name } }
-  action: ALLOW
-  rules:
-    - from:
-        - source:
-            principals: ["cluster.local/ns/default/sa/default"]
-      to:
-        - operation:
-            methods: ["GET"]
diff --git a/deployment/helm/templates/istio/gateway.yaml b/deployment/helm/templates/istio/gateway.yaml
deleted file mode 100644
index 65dfaa3545bab83e5064d7f7f7d222d48bdf66e6..0000000000000000000000000000000000000000
--- a/deployment/helm/templates/istio/gateway.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# templates/istio/gateway.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-chart-gateway
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"
diff --git a/deployment/helm/templates/istio/virtual-service.yaml b/deployment/helm/templates/istio/virtual-service.yaml
deleted file mode 100644
index 28307d401c7d3232454db523645c09e93977d789..0000000000000000000000000000000000000000
--- a/deployment/helm/templates/istio/virtual-service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# templates/istio/virtual-service.yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: { { include "my_chart.fullname" . } }
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - my-chart-gateway
-  http:
-    - route:
-        - destination:
-            host: { { include "my_chart.fullname" . } }
-            port:
-              number: 80
diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
index 0fe5900c966d04f77aeaf3656b91fcc1106c710a..672a8ab29906c82a3dc56710f64bdb85028f23fa 100644
--- a/deployment/helm/values.yaml
+++ b/deployment/helm/values.yaml
@@ -73,12 +73,17 @@ signer:
       idle: 120s
       read: 10s
       write: 10s
+
   vault:
     addr: http://vault:8200
-    token: token
+    token:
+      secretName: vault-token
+      key: token
     key:
-      signing: key1
       supported: "ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521,rsa-2048"
+      signing:
+        secretName: vault-signing-key
+        key: signing-key
   credential:
     issuer: "did:web:tsa.xfsc.dev:tsa:policy:policy:example:returnDID:1.0:evaluation"
 
@@ -91,3 +96,6 @@ ingress:
   frontendDomain: tsa.xfsc.dev
   frontendTlsSecretName: cert-manager-tls
 
+istio:
+  injection:
+    pod: true