diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index a4d081cab..6d2d5d2f0 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -29,6 +29,10 @@ data:
     webhook:
       url: (@= data.values.webhook_url @)
       caBundle: (@= data.values.webhook_ca_bundle @)
+    api:
+      servingCertificate:
+        durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
+        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/deploy/values.yaml b/deploy/values.yaml
index b8c71c549..cf91c93ec 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -17,3 +17,9 @@ discovery_url: #! e.g., https://example.com
 
 #! e.g. the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+
+#! Specify the duration and renewal interval for the API serving certificate.
+#! The defaults are set to expire the cert about every 30 days, and to rotate it
+#! about every 25 days.
+api_serving_certificate_duration_seconds: 2592000
+api_serving_certificate_renew_before_seconds: 2160000