diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 51cfb64..58e509d 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -54,11 +54,10 @@ jobs:
           chmod +x kubectl
           mv kubectl /usr/local/bin/
 
-      - name: Deploy to K3s
-        uses: Azure/k8s-set-context@v3
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBE_CONFIG }}
+      - name: Deploy to Volcengine VKE
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBE_CONFIG_VKE }}" > ~/.kube/config
 
       - name: Create or Update Secrets
         run: |
@@ -79,9 +78,15 @@ jobs:
           sed -i "s|\${CI_REGISTRY_IMAGE}/video-backend:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-backend:latest|g" k8s/backend-deployment.yaml
           sed -i "s|\${CI_REGISTRY_IMAGE}/video-web:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-web:latest|g" k8s/web-deployment.yaml
 
+          # Install cert-manager (skip if already installed)
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.yaml 2>/dev/null || true
+          # Wait for cert-manager to be ready
+          kubectl -n cert-manager wait --for=condition=Available deployment/cert-manager-webhook --timeout=120s 2>/dev/null || true
+
           # Apply all manifests
           set -o pipefail
           {
+            kubectl apply -f k8s/cert-manager-issuer.yaml
             kubectl apply -f k8s/backend-deployment.yaml
             kubectl apply -f k8s/web-deployment.yaml
             kubectl apply -f k8s/ingress.yaml
diff --git a/k8s/backend-deployment.yaml b/k8s/backend-deployment.yaml
index adc505b..dfc03f9 100644
--- a/k8s/backend-deployment.yaml
+++ b/k8s/backend-deployment.yaml
@@ -13,6 +13,8 @@ spec:
     metadata:
       labels:
         app: video-backend
+      annotations:
+        vke.volcengine.com/burst-to-vci: "enforce"
     spec:
       containers:
       - name: video-backend
diff --git a/k8s/cert-manager-issuer.yaml b/k8s/cert-manager-issuer.yaml
new file mode 100644
index 0000000..006121b
--- /dev/null
+++ b/k8s/cert-manager-issuer.yaml
@@ -0,0 +1,15 @@
+# ClusterIssuer for Let's Encrypt automatic certificate generation & renewal
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: airlabsv001@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-prod-key
+    solvers:
+    - http01:
+        ingress:
+          class: alb
diff --git a/k8s/ingress.yaml b/k8s/ingress.yaml
index 3562df1..071f433 100644
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -3,16 +3,16 @@ kind: Ingress
 metadata:
   name: video-huoshan-ingress
   annotations:
-    kubernetes.io/ingress.class: "traefik"
+    kubernetes.io/ingress.class: "alb"
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+    alb.ingress.kubernetes.io/ssl-redirect: "true"
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   tls:
   - hosts:
     - video-huoshan-api.airlabs.art
-    secretName: video-huoshan-api-tls
-  - hosts:
     - video-huoshan-web.airlabs.art
-    secretName: video-huoshan-web-tls
+    secretName: video-huoshan-tls
   rules:
   - host: video-huoshan-api.airlabs.art
     http:
diff --git a/k8s/web-deployment.yaml b/k8s/web-deployment.yaml
index 121435b..a8b2bdb 100644
--- a/k8s/web-deployment.yaml
+++ b/k8s/web-deployment.yaml
@@ -13,6 +13,8 @@ spec:
     metadata:
       labels:
         app: video-web
+      annotations:
+        vke.volcengine.com/burst-to-vci: "enforce"
     spec:
       containers:
       - name: video-web