diff --git a/api/v1alpha1/nginxingresscontroller_types.go b/api/v1alpha1/nginxingresscontroller_types.go
index ee0b8cf1..de9c3a5c 100644
--- a/api/v1alpha1/nginxingresscontroller_types.go
+++ b/api/v1alpha1/nginxingresscontroller_types.go
@@ -263,6 +263,8 @@ type Prometheus struct {
 	// +kubebuilder:validation:Optional
 	// +nullable
 	Port *uint16 `json:"port"`
+	// Specifies an TLS Secret in the format namespace/name to use to secure the Prometheus endpoint.
+	Secret string `json:"secret"`
 }
 
 // AppProtect support configuration.
diff --git a/bundle/manifests/k8s.nginx.org_nginxingresscontrollers.yaml b/bundle/manifests/k8s.nginx.org_nginxingresscontrollers.yaml
index 0309aae6..708a8fde 100644
--- a/bundle/manifests/k8s.nginx.org_nginxingresscontrollers.yaml
+++ b/bundle/manifests/k8s.nginx.org_nginxingresscontrollers.yaml
@@ -195,6 +195,13 @@ spec:
                     minimum: 1023
                     nullable: true
                     type: integer
+                  secret:
+                    description: A Secret with a TLS certificate and key for TLS termination
+                      of the Prometheus endpoint. If the argument is set,
+                      but the Ingress controller is not able to fetch the Secret from
+                      Kubernetes API, the Ingress Controller will fail to start. Format
+                      is namespace/name.
+                    type: string
                 required:
                 - enable
                 type: object
diff --git a/config/crd/bases/k8s.nginx.org_nginxingresscontrollers.yaml b/config/crd/bases/k8s.nginx.org_nginxingresscontrollers.yaml
index 92ffe8fc..06d8fd21 100644
--- a/config/crd/bases/k8s.nginx.org_nginxingresscontrollers.yaml
+++ b/config/crd/bases/k8s.nginx.org_nginxingresscontrollers.yaml
@@ -197,8 +197,13 @@ spec:
                     minimum: 1023
                     nullable: true
                     type: integer
+                  secret:
+                    description: Specifies an TLS Secret in the format namespace/name
+                      to use to secure the Prometheus endpoint.
+                    type: string
                 required:
                 - enable
+                - secret
                 type: object
               replicas:
                 description: The number of replicas of the Ingress Controller pod.
diff --git a/controllers/utils.go b/controllers/utils.go
index 371ba0fc..5c09d3cc 100644
--- a/controllers/utils.go
+++ b/controllers/utils.go
@@ -111,6 +111,10 @@ func generatePodArgs(instance *k8sv1alpha1.NginxIngressController) []string {
 		if instance.Spec.EnableLatencyMetrics {
 			args = append(args, "-enable-latency-metrics")
 		}
+
+		if instance.Spec.Prometheus.Secret != "" {
+			args = append(args, fmt.Sprintf("-prometheus-tls-secret=%v", instance.Spec.Prometheus.Secret))
+		}
 	}
 
 	if instance.Spec.EnableCRDs != nil && !*instance.Spec.EnableCRDs {
diff --git a/controllers/utils_test.go b/controllers/utils_test.go
index f7977179..9d3214d9 100644
--- a/controllers/utils_test.go
+++ b/controllers/utils_test.go
@@ -225,6 +225,7 @@ func TestGeneratePodArgs(t *testing.T) {
 					Prometheus: &k8sv1alpha1.Prometheus{
 						Enable: true,
 						Port:   &promPort,
+						Secret: "my-nginx-ingress/prometheus-secret",
 					},
 					EnableLatencyMetrics: true,
 					GlobalConfiguration:  "my-nginx-ingress/globalconfiguration",
@@ -260,6 +261,7 @@ func TestGeneratePodArgs(t *testing.T) {
 				"-enable-prometheus-metrics",
 				"-prometheus-metrics-listen-port=9114",
 				"-enable-latency-metrics",
+				"-prometheus-tls-secret=my-nginx-ingress/prometheus-secret",
 				"-enable-custom-resources=false",
 				"-nginx-reload-timeout=5000",
 			},
diff --git a/docs/nginx-ingress-controller.md b/docs/nginx-ingress-controller.md
index 99b932e5..7d2fd2d7 100644
--- a/docs/nginx-ingress-controller.md
+++ b/docs/nginx-ingress-controller.md
@@ -65,6 +65,7 @@ spec:
    prometheus:
      enable: true
      port: 9114
+     secret: my-nginx-ingress/prometheus-secret
    enableLatencyMetrics: false
    configMapData:
      error-log-level: debug
@@ -147,6 +148,7 @@ spec:
 | --- | --- | --- | --- |
 | `enable` | `boolean` | Enable Prometheus metrics. | Yes |
 | `port` | `int` | Sets the port where the Prometheus metrics are exposed. Default is 9113. Format is `1023 - 65535`. | No |
+| `secret` | `string` | Sets the namespace/name of a TLS Secret Resource to use to enable TLS for the Prometheus endpoint. | No |
 | `enableLatencyMetrics` | `boolean` | Bucketed response times from when NGINX establishes a connection to an upstream server to when the last byte of the response body is received by NGINX. **Note** The metric for the upstream isn't available until traffic is sent to the upstream. Requires prometheus set to true | No |
 
 ## NginxIngressController.AppProtect