diff --git a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml b/kubernetes/apps/kube-system/cilium/app/helm/values.yaml
index 1b0c3ab0d..7f0a00fb6 100644
--- a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml
+++ b/kubernetes/apps/kube-system/cilium/app/helm/values.yaml
@@ -19,6 +19,10 @@ endpointRoutes:
   enabled: true
 envoy:
   enabled: false
+gatewayAPI:
+  enabled: true
+  enableAlpn: true
+  xffNumTrustedHops: 1
 hubble:
   enabled: false
 ipam:
diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml
index fddd18624..994f044c7 100644
--- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml
+++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml
@@ -33,4 +33,4 @@ spec:
       retries: 3
   valuesFrom:
     - kind: ConfigMap
-      name: kubelet-csr-approver-helm-values
+      name: kubelet-csr-approver-values
diff --git a/kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml b/kubernetes/apps/network/envoy-gateway/crds/helmrelease.yaml
similarity index 76%
rename from kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml
rename to kubernetes/apps/network/envoy-gateway/crds/helmrelease.yaml
index 810ea41a1..a8bd3c248 100644
--- a/kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml
+++ b/kubernetes/apps/network/envoy-gateway/crds/helmrelease.yaml
@@ -3,13 +3,13 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
-  name: envoy-gateway-operator
+  name: envoy-gateway-crds
 spec:
   interval: 30m
   timeout: 60s
   url: oci://docker.io/envoyproxy/gateway-helm
   ref:
-    tag: 1.4.0
+    tag: v1.4.1
   layerSelector:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
@@ -18,13 +18,13 @@ spec:
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: envoy-gateway-operator
+  name: envoy-gateway-crds
 spec:
   interval: 1h
   timeout: 5m
   chartRef:
     kind: OCIRepository
-    name: envoy-gateway-operator
+    name: envoy-gateway-crds
   install:
     crds: CreateReplace
     remediation:
@@ -34,8 +34,3 @@ spec:
     crds: CreateReplace
     remediation:
       retries: 5
-  values:
-    config:
-      envoyGateway:
-        gateway:
-          controllerName: gateway.envoyproxy.io/gatewayclass-controller
diff --git a/kubernetes/apps/network/envoy-gateway/crds/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/crds/kustomization.yaml
new file mode 100644
index 000000000..09bc749a9
--- /dev/null
+++ b/kubernetes/apps/network/envoy-gateway/crds/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/network/envoy-gateway/external/gateway.yaml b/kubernetes/apps/network/envoy-gateway/external/gateway.yaml
index 7529bb204..40e9dbf3d 100644
--- a/kubernetes/apps/network/envoy-gateway/external/gateway.yaml
+++ b/kubernetes/apps/network/envoy-gateway/external/gateway.yaml
@@ -5,7 +5,7 @@ kind: Gateway
 metadata:
   name: external
   # annotations:
-  #   external-dns.alpha.kubernetes.io/target: external.${SECRET_CLUSTER_DOMAIN}
+  #   external-dns.alpha.kubernetes.io/target: external.${SECRET_EXTERNAL_DOMAIN}
 spec:
   gatewayClassName: envoy-gateway
   addresses:
@@ -13,19 +13,19 @@ spec:
       value: "${CLUSTER_LB_ENVOY_EXTERNAL}"
   # infrastructure:
   #   annotations:
-  #     external-dns.alpha.kubernetes.io/hostname: external.${SECRET_CLUSTER_DOMAIN}
+  #     external-dns.alpha.kubernetes.io/hostname: external.${SECRET_EXTERNAL_DOMAIN}
   listeners:
     - name: http
       protocol: HTTP
       port: 80
-      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
       allowedRoutes:
         namespaces:
           from: Same
     - name: https
       protocol: HTTPS
       port: 443
-      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
       allowedRoutes:
         namespaces:
           from: All
diff --git a/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml
index 2a01f8e7c..3df48216a 100644
--- a/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml
+++ b/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml
@@ -2,7 +2,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: networking-system
 resources:
   - ./gateway.yaml
   - ./redirect.yaml
diff --git a/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml b/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml
index 5abfa17d4..434e4a7ac 100644
--- a/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml
+++ b/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml
@@ -5,7 +5,7 @@ kind: Gateway
 metadata:
   name: internal
   # annotations:
-  #   external-dns.alpha.kubernetes.io/target: internal.${SECRET_CLUSTER_DOMAIN}
+  #   external-dns.alpha.kubernetes.io/target: internal.${SECRET_EXTERNAL_DOMAIN}
 spec:
   gatewayClassName: envoy-gateway
   addresses:
@@ -13,19 +13,19 @@ spec:
       value: "${CLUSTER_LB_ENVOY_INTERNAL}"
   # infrastructure:
   #   annotations:
-  #     external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_CLUSTER_DOMAIN}
+  #     external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_EXTERNAL_DOMAIN}
   listeners:
     - name: http
       protocol: HTTP
       port: 80
-      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
       allowedRoutes:
         namespaces:
           from: Same
     - name: https
       protocol: HTTPS
       port: 443
-      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
       allowedRoutes:
         namespaces:
           from: All
diff --git a/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml
index 1bf35fe35..f5ee97938 100644
--- a/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml
+++ b/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml
@@ -2,7 +2,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: networking-system
 resources:
   - ./gateway.yaml
   - ./redirect.yaml
diff --git a/kubernetes/apps/network/envoy-gateway/ks.yaml b/kubernetes/apps/network/envoy-gateway/ks.yaml
index 575577d72..f87dfda8b 100644
--- a/kubernetes/apps/network/envoy-gateway/ks.yaml
+++ b/kubernetes/apps/network/envoy-gateway/ks.yaml
@@ -3,7 +3,29 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app envoy-gateway
+  name: &app envoy-gateway-crds
+  namespace: &namespace network
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 1h
+  path: ./kubernetes/apps/network/envoy-gateway/crds
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: false
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-gateway-operator
   namespace: &namespace network
 spec:
   commonMetadata:
@@ -11,21 +33,24 @@ spec:
       app.kubernetes.io/name: *app
   interval: 1h
   path: ./kubernetes/apps/network/envoy-gateway/operator
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2
-      kind: HelmRelease
-      name: *app
+  dependsOn:
+    - name: envoy-gateway-crds
       namespace: *namespace
-    - apiVersion: gateway.networking.k8s.io/v1
-      kind: GatewayClass
-      name: envoy-gateway
-  healthCheckExprs:
-    - apiVersion: gateway.networking.k8s.io/v1
-      kind: GatewayClass
-      failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False')
-      inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown')
-      current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True')
-  prune: false
+  # healthChecks:
+  #   - apiVersion: helm.toolkit.fluxcd.io/v2
+  #     kind: HelmRelease
+  #     name: *app
+  #     namespace: *namespace
+  #   - apiVersion: gateway.networking.k8s.io/v1
+  #     kind: GatewayClass
+  #     name: envoy-gateway
+  # healthCheckExprs:
+  #   - apiVersion: gateway.networking.k8s.io/v1
+  #     kind: GatewayClass
+  #     failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False')
+  #     inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown')
+  #     current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True')
+  prune: true
   retryInterval: 2m
   sourceRef:
     kind: GitRepository
@@ -45,7 +70,7 @@ spec:
   interval: 1h
   retryInterval: 2m
   timeout: 5m
-  prune: false
+  prune: true
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
@@ -54,6 +79,7 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
     namespace: flux-system
+  targetNamespace: *namespace
   wait: false
   dependsOn:
     - name: envoy-gateway-operator
@@ -69,7 +95,7 @@ spec:
   interval: 1h
   retryInterval: 2m
   timeout: 5m
-  prune: false
+  prune: true
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
@@ -78,6 +104,7 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
     namespace: flux-system
+  targetNamespace: *namespace
   wait: false
   dependsOn:
     - name: envoy-gateway-operator
diff --git a/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml b/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml
index 79c5433cc..3537a0197 100644
--- a/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml
+++ b/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml
@@ -10,7 +10,7 @@ spec:
     group: gateway.envoyproxy.io
     kind: EnvoyProxy
     name: proxy-config
-    namespace: networking-system
+    namespace: network
 ---
 # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json
 apiVersion: gateway.envoyproxy.io/v1alpha1
diff --git a/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml
index ed948af6a..ded543436 100644
--- a/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml
+++ b/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml
@@ -2,7 +2,5 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: networking-system
 resources:
   - ./gatewayclass.yaml
-  - ./helmrelease.yaml