diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
new file mode 100644
index 00000000000000..3b27df1701c32e
--- /dev/null
+++ b/chart/templates/NOTES.txt
@@ -0,0 +1,5 @@
+{{- if (and $.Values.certificatesSecret.fullChainName $.Values.certificatesSecret.chainName $.Values.certificatesSecret.keyName) }}
+You can now directly use a secret of type `kubernetes.io/tls` for your `certificatesSecret` instead of manually packing your certificates
+into an `Opaque` secret with `fullChainName` / `keyName` / `chainName` entries. This older packing method will become deprecated.
+Please migrate to the Kubernetes TLS Secret format. See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for details.
+{{- end }}
diff --git a/chart/templates/proxy-deployment.yaml b/chart/templates/proxy-deployment.yaml
index ebf4ccffaaf0a0..115f9dcaca27e9 100644
--- a/chart/templates/proxy-deployment.yaml
+++ b/chart/templates/proxy-deployment.yaml
@@ -156,16 +156,21 @@ spec:
       - name: config-certificates
         secret:
           secretName: {{ $.Values.certificatesSecret.secretName }}
-{{- if (and $.Values.certificatesSecret.fullChainName $.Values.certificatesSecret.chainName $.Values.certificatesSecret.keyName) }}
           items:
+{{- if (and $.Values.certificatesSecret.fullChainName $.Values.certificatesSecret.chainName $.Values.certificatesSecret.keyName) }}
           - key: {{ $.Values.certificatesSecret.fullChainName }}
             path: fullchain.pem
           - key: {{ $.Values.certificatesSecret.chainName }}
             path: chain.pem
           - key: {{ $.Values.certificatesSecret.keyName }}
             path: privkey.pem
+{{- else }}
+          - key: tls.crt
+            path: fullchain.pem
+          - key: tls.key
+            path: privkey.pem
 {{- end }}
 {{- end }}
 {{ include "gitpod.container.configmap.volumes" $this | indent 6 }}
 {{ toYaml .Values.defaults | indent 6 }}
-{{ end }}
\ No newline at end of file
+{{ end }}