diff --git a/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml
new file mode 100644
index 0000000000..e8674204aa
--- /dev/null
+++ b/helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.gateway.enabled }}
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: {{ .Values.deployEnv }}
+  labels:
+    {{- include "sefaria.labels" . | nindent 4 }}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: {{ .Values.deployEnv }}
+  alpn:
+    protocols:
+      - h2
+      - http/1.1
+{{- end }}
diff --git a/helm-chart/sefaria/templates/gateway/gateway.yaml b/helm-chart/sefaria/templates/gateway/gateway.yaml
new file mode 100644
index 0000000000..89bc81ab5f
--- /dev/null
+++ b/helm-chart/sefaria/templates/gateway/gateway.yaml
@@ -0,0 +1,60 @@
+{{- if .Values.gateway.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ .Values.deployEnv }}
+  labels:
+    {{- include "sefaria.labels" . | nindent 4 }}
+  annotations: {{ .Values.gateway.annotations | toYaml | nindent 4 }}
+spec:
+  gatewayClassName: {{ .Values.gateway.className }}
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+    {{- range .Values.domains.root }}
+    {{- $code := .code }}
+    {{- if kindIs "slice" $code }}
+      {{- $code = index $code 0 }}
+    {{- end }}
+    {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
+    {{- $wwwDomain := printf "www.%s" $rootDomain }}
+    {{- $secretName := tpl .cert $ | default ( printf "origin-%s-%s-tls"  $.Values.deployEnv $code ) }}
+    - name: https-{{ $code }}
+      protocol: HTTPS
+      port: 443
+      hostname: {{ $rootDomain }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - kind: Secret
+            group: ""
+            name: {{ $secretName }}
+    - name: https-www-{{ $code }}
+      protocol: HTTPS
+      port: 443
+      hostname: {{ $wwwDomain }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - kind: Secret
+            group: ""
+            name: {{ $secretName }}
+    {{- range $.Values.domains.modules }}
+    {{- $subdomain := index .subdomains $code }}
+    {{- if $subdomain }}
+    - name: https-{{ $subdomain }}-{{ $code }}
+      protocol: HTTPS
+      port: 443
+      {{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
+      hostname: {{ $subdomain }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - kind: Secret
+            group: ""
+            name: {{ $secretName }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/helm-chart/sefaria/templates/gateway/httproute.yaml b/helm-chart/sefaria/templates/gateway/httproute.yaml
new file mode 100644
index 0000000000..1106b9056c
--- /dev/null
+++ b/helm-chart/sefaria/templates/gateway/httproute.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.gateway.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ .Values.deployEnv }}
+  labels:
+    {{- include "sefaria.labels" . | nindent 4 }}
+spec:
+  parentRefs:
+    - name: {{ .Values.deployEnv }}
+  hostnames:
+    {{- range .Values.domains.root }}
+    {{- $code := .code }}
+    {{- if kindIs "slice" $code }}
+      {{- $code = index $code 0 }}
+    {{- end }}
+    {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
+    {{- $wwwDomain := printf "www.%s" $rootDomain }}
+        - {{ $rootDomain }}
+        - {{ $wwwDomain }}
+    {{- range $.Values.domains.modules }}
+    {{- $subdomain := index .subdomains $code }}
+    {{- if $subdomain }}
+    {{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
+        - {{ $subdomain }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  rules:
+    - backendRefs:
+        - name: nginx-{{ $.Values.deployEnv }}
+          port: 80
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+{{- end }}
diff --git a/helm-chart/sefaria/templates/ingress.yaml b/helm-chart/sefaria/templates/ingress.yaml
index 01f9965f19..3ba45f8118 100644
--- a/helm-chart/sefaria/templates/ingress.yaml
+++ b/helm-chart/sefaria/templates/ingress.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.ingress.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -21,7 +22,7 @@ spec:
     {{- end }}
     {{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
     {{- $wwwDomain := printf "www.%s" $rootDomain }}
-    - secretName: {{ tpl .cert $ | default ( printf "origin-%s-$s-tls"  $.Values.deployEnv $code ) }}
+    - secretName: {{ tpl .cert $ | default ( printf "origin-%s-%s-tls"  $.Values.deployEnv $code ) }}
       hosts:
         - {{ $rootDomain }}
         - {{ $wwwDomain }}
@@ -75,3 +76,4 @@ spec:
     {{- end }}
     {{- end }}
     {{- end }}
+{{- end }}
diff --git a/helm-chart/sefaria/values.yaml b/helm-chart/sefaria/values.yaml
index dd2fcd9af8..58538372b0 100644
--- a/helm-chart/sefaria/values.yaml
+++ b/helm-chart/sefaria/values.yaml
@@ -266,6 +266,15 @@ domains:
         - collections
         - profile
 
+ingress:
+  enabled: true
+
+gateway:
+  enabled: false
+  className: envoy
+  annotations:
+    cert-manager.io/cluster-issuer: ingress-ca
+
 nginx:
   containerImage:
     # Full path of the image registry inclusive of the image name