diff --git a/apps/kustomize/web/base/kustomization.yaml b/apps/kustomize/web/base/kustomization.yaml
new file mode 100644
index 0000000..7a407f1
--- /dev/null
+++ b/apps/kustomize/web/base/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- web/deployment.yaml
+- web/ingress.yaml
+- web/service.yaml
+- web/web-backend-tls.yaml
diff --git a/apps/kustomize/web/base/web/deployment.yaml b/apps/kustomize/web/base/web/deployment.yaml
new file mode 100644
index 0000000..6531a8d
--- /dev/null
+++ b/apps/kustomize/web/base/web/deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  labels:
+    app: web
+spec:
+  selector:
+    matchLabels:
+      app: web
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+      - name: web
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            memory: 512Mi
+        ports:
+        - containerPort: 443
+          protocol: TCP
+          name: https
+        volumeMounts:
+        - mountPath: /tls
+          name: web-backend-tls
+      volumes:
+      - name: web-backend-tls
+        secret:
+          secretName: web-backend-tls
diff --git a/apps/kustomize/web/base/web/ingress.yaml b/apps/kustomize/web/base/web/ingress.yaml
new file mode 100644
index 0000000..32d3ed5
--- /dev/null
+++ b/apps/kustomize/web/base/web/ingress.yaml
@@ -0,0 +1,11 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    acme.cert-manager.io/http01-ingress-class: nginx
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+  name: web
+  labels:
+    app: web
+spec:
+  ingressClassName: nginx
diff --git a/apps/kustomize/web/base/web/service.yaml b/apps/kustomize/web/base/web/service.yaml
new file mode 100644
index 0000000..9d51c20
--- /dev/null
+++ b/apps/kustomize/web/base/web/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app: web
+  type: ClusterIP
diff --git a/apps/kustomize/web/base/web/web-backend-tls.yaml b/apps/kustomize/web/base/web/web-backend-tls.yaml
new file mode 100644
index 0000000..4dde1b1
--- /dev/null
+++ b/apps/kustomize/web/base/web/web-backend-tls.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: web-backend-tls
+spec:
+  secretName: web-backend-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  dnsNames:
+  - web
+  issuerRef:
+    name: kubernetes-issuer
+    kind: ClusterIssuer
diff --git a/apps/kustomize/web/envs/stage/kustomization.yaml b/apps/kustomize/web/envs/stage/kustomization.yaml
new file mode 100644
index 0000000..5585eec
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../base
+
+patchesStrategicMerge:
+- web/ingress.yaml
+- web/web-image.yaml
diff --git a/apps/kustomize/web/envs/stage/web/ingress.yaml b/apps/kustomize/web/envs/stage/web/ingress.yaml
new file mode 100644
index 0000000..96bff80
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/web/ingress.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-url: |-
+      http://ak-outpost-forward-auth-proxy-default.iam.svc.k8s.ho.brds.ca:9000/outpost.goauthentik.io/auth/nginx
+    nginx.ingress.kubernetes.io/auth-signin: |-
+      https://stage.d-b.ca/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-response-headers: |-
+      Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Host $http_host;
+  name: web
+spec:
+  rules:
+  - host: stage.d-b.ca
+    http:
+      paths:
+      - backend:
+          service:
+            name: web
+            port:
+              name: https
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - stage.d-b.ca
+    secretName: web-tls
diff --git a/apps/kustomize/web/envs/stage/web/web-image.yaml b/apps/kustomize/web/envs/stage/web/web-image.yaml
new file mode 100644
index 0000000..1714c93
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/web/web-image.yaml
@@ -0,0 +1,10 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+spec:
+  template:
+    spec:
+      containers:
+      - name: web
+        image: git.brds.ca/d-b.ca/web:6d7d641bc24a17038441054568943cb230cedce9