diff --git a/apps/kustomize/web/base/gateway/backendtlspolicy.yaml b/apps/kustomize/web/base/gateway/backendtlspolicy.yaml
new file mode 100644
index 0000000..434e311
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/backendtlspolicy.yaml
@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: web-gw
+spec:
+  targetRefs:
+    - kind: Service
+      name: web
+      group: ""
+  validation:
+    caCertificateRefs:
+      - kind: ConfigMap
+        name: brds-bundle
+        group: ""
diff --git a/apps/kustomize/web/base/gateway/gateway.yaml b/apps/kustomize/web/base/gateway/gateway.yaml
new file mode 100644
index 0000000..783203a
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/gateway.yaml
@@ -0,0 +1,8 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    cert-manager.io/issuer: web-gw-issuer
+  name: web-gw
+spec:
+  gatewayClassName: cilium
diff --git a/apps/kustomize/web/base/gateway/issuer.yaml b/apps/kustomize/web/base/gateway/issuer.yaml
new file mode 100644
index 0000000..b44c89b
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/issuer.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: web-gw-issuer
+spec:
+  acme:
+    email: drew@brds.ca
+    privateKeySecretRef:
+      name: web-gw-issuer
+    solvers:
+      - http01:
+          gatewayHTTPRoute:
+            parentRefs:
+              - name: web-gw
+                kind: Gateway
diff --git a/apps/kustomize/web/base/gateway/referencegrant.yaml b/apps/kustomize/web/base/gateway/referencegrant.yaml
new file mode 100644
index 0000000..775d37f
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/referencegrant.yaml
@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: web-gw
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: gateway-prod
+  to:
+    - group: ""
+      kind: Secret
diff --git a/apps/kustomize/web/base/gateway/routes/http-v4.yaml b/apps/kustomize/web/base/gateway/routes/http-v4.yaml
new file mode 100644
index 0000000..0496665
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/routes/http-v4.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http-v4
+spec:
+  rules:
+    - filters:
+        - requestRedirect:
+            scheme: https
+            statusCode: 301
+          type: RequestRedirect
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
diff --git a/apps/kustomize/web/base/gateway/routes/http.yaml b/apps/kustomize/web/base/gateway/routes/http.yaml
new file mode 100644
index 0000000..a01e391
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/routes/http.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: web-gw
+      sectionName: http
+  rules:
+    - filters:
+        - requestRedirect:
+            scheme: https
+            statusCode: 301
+          type: RequestRedirect
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
diff --git a/apps/kustomize/web/base/gateway/routes/https-v4.yaml b/apps/kustomize/web/base/gateway/routes/https-v4.yaml
new file mode 100644
index 0000000..5eea61d
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/routes/https-v4.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https-v4
+spec:
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: web
+          port: 443
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
diff --git a/apps/kustomize/web/base/gateway/routes/https.yaml b/apps/kustomize/web/base/gateway/routes/https.yaml
new file mode 100644
index 0000000..a3bb712
--- /dev/null
+++ b/apps/kustomize/web/base/gateway/routes/https.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: web-gw
+      sectionName: https
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: web
+          port: 443
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
diff --git a/apps/kustomize/web/base/kustomization.yaml b/apps/kustomize/web/base/kustomization.yaml
index 8bd4f40..7e73210 100644
--- a/apps/kustomize/web/base/kustomization.yaml
+++ b/apps/kustomize/web/base/kustomization.yaml
@@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - gateway/routes/http.yaml
+  - gateway/routes/http-v4.yaml
+  - gateway/routes/https.yaml
+  - gateway/routes/https-v4.yaml
+  - gateway/backendtlspolicy.yaml
+  - gateway/gateway.yaml
+  - gateway/issuer.yaml
+  - gateway/referencegrant.yaml
   - web/deployment.yaml
-  - web/ingress.yaml
   - web/service.yaml
   - web/web-backend-tls.yaml
diff --git a/apps/kustomize/web/base/web/ingress.yaml b/apps/kustomize/web/base/web/ingress.yaml
deleted file mode 100644
index 32d3ed5..0000000
--- a/apps/kustomize/web/base/web/ingress.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    acme.cert-manager.io/http01-ingress-class: nginx
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-  name: web
-  labels:
-    app: web
-spec:
-  ingressClassName: nginx
diff --git a/apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml b/apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml
new file mode 100644
index 0000000..b999fa9
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml
@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: web-gw
+spec:
+  validation:
+    hostname: stage.d-b.ca
+    subjectAltNames:
+      - type: Hostname
+        hostname: stage.d-b.ca
diff --git a/apps/kustomize/web/envs/stage/gateway/gateway.yaml b/apps/kustomize/web/envs/stage/gateway/gateway.yaml
new file mode 100644
index 0000000..16e13df
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/gateway.yaml
@@ -0,0 +1,26 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: web-gw
+spec:
+  addresses:
+    - value: 2600:70ff:b815:802:88eb:2ce8:86c9:564c
+  listeners:
+    - name: http
+      hostname: stage.d-b.ca
+      port: 80
+      protocol: HTTP
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      hostname: stage.d-b.ca
+      port: 443
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: Same
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: web-tls
diff --git a/apps/kustomize/web/envs/stage/gateway/issuer.yaml b/apps/kustomize/web/envs/stage/gateway/issuer.yaml
new file mode 100644
index 0000000..07ea348
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/issuer.yaml
@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: web-gw-issuer
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
diff --git a/apps/kustomize/web/envs/stage/gateway/routes/http-v4.yaml b/apps/kustomize/web/envs/stage/gateway/routes/http-v4.yaml
new file mode 100644
index 0000000..78a5bcf
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/routes/http-v4.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http-v4
+spec:
+  hostnames:
+    - stage.d-b.ca
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: v4-gw
+      namespace: gateway-prod
+      sectionName: dbca-web-stage-http
diff --git a/apps/kustomize/web/envs/stage/gateway/routes/http.yaml b/apps/kustomize/web/envs/stage/gateway/routes/http.yaml
new file mode 100644
index 0000000..e8a93b0
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/routes/http.yaml
@@ -0,0 +1,7 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http
+spec:
+  hostnames:
+    - stage.d-b.ca
diff --git a/apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml b/apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml
new file mode 100644
index 0000000..97d428f
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https-v4
+spec:
+  hostnames:
+    - stage.d-b.ca
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: v4-gw
+      namespace: gateway-prod
+      sectionName: dbca-web-stage-https
diff --git a/apps/kustomize/web/envs/stage/gateway/routes/https.yaml b/apps/kustomize/web/envs/stage/gateway/routes/https.yaml
new file mode 100644
index 0000000..b9fd0c4
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/gateway/routes/https.yaml
@@ -0,0 +1,7 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https
+spec:
+  hostnames:
+    - stage.d-b.ca
diff --git a/apps/kustomize/web/envs/stage/kustomization.yaml b/apps/kustomize/web/envs/stage/kustomization.yaml
index c320858..1866503 100644
--- a/apps/kustomize/web/envs/stage/kustomization.yaml
+++ b/apps/kustomize/web/envs/stage/kustomization.yaml
@@ -3,8 +3,15 @@ kind: Kustomization
 
 resources:
   - ../../base
+  - namespace.yaml
 
 patches:
-  - path: web/ingress.yaml
+  - path: gateway/routes/http.yaml
+  - path: gateway/routes/http-v4.yaml
+  - path: gateway/routes/https.yaml
+  - path: gateway/routes/https-v4.yaml
+  - path: gateway/backendtlspolicy.yaml
+  - path: gateway/gateway.yaml
+  - path: gateway/issuer.yaml
   - path: web/web-backend-tls.yaml
   - path: web/web-image.yaml
diff --git a/apps/kustomize/web/envs/stage/namespace.yaml b/apps/kustomize/web/envs/stage/namespace.yaml
new file mode 100644
index 0000000..697b6d4
--- /dev/null
+++ b/apps/kustomize/web/envs/stage/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dbca-web-stage
+  labels:
+    brds.ca/localca: enabled
diff --git a/apps/kustomize/web/envs/stage/web/ingress.yaml b/apps/kustomize/web/envs/stage/web/ingress.yaml
deleted file mode 100644
index 1af49d3..0000000
--- a/apps/kustomize/web/envs/stage/web/ingress.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/auth-url: |-
-      http://ak-outpost-forward-auth-proxy-default.iam.svc.k8s.ho.brds.ca:9000/outpost.goauthentik.io/auth/nginx
-    nginx.ingress.kubernetes.io/auth-signin: |-
-      https://stage.d-b.ca/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-response-headers: |-
-      Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Forwarded-Host $http_host;
-  name: web
-spec:
-  rules:
-    - host: stage.d-b.ca
-      http:
-        paths:
-          - backend:
-              service:
-                name: web
-                port:
-                  name: https
-            path: /
-            pathType: Prefix
-  tls:
-    - hosts:
-        - stage.d-b.ca
-      secretName: web-tls