diff --git a/charts/gateway-helm/templates/certgen-rbac.yaml b/charts/gateway-helm/templates/certgen-rbac.yaml
index f78c36709b6..ff805dad3db 100644
--- a/charts/gateway-helm/templates/certgen-rbac.yaml
+++ b/charts/gateway-helm/templates/certgen-rbac.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
@@ -11,6 +12,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
@@ -29,6 +31,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml
index 2b40f599eeb..25f65196da6 100644
--- a/charts/gateway-helm/templates/certgen.yaml
+++ b/charts/gateway-helm/templates/certgen.yaml
@@ -2,6 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "eg.fullname" . }}-certgen
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
   annotations:
diff --git a/charts/gateway-helm/templates/envoy-gateway-config.yaml b/charts/gateway-helm/templates/envoy-gateway-config.yaml
index 255030c9ee7..c969f60454f 100644
--- a/charts/gateway-helm/templates/envoy-gateway-config.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-config.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: envoy-gateway-config
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 data:
diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
index bc4c6224845..e2cc40b9a24 100644
--- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: envoy-gateway
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 ---
@@ -9,6 +10,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: envoy-gateway
+  namespace: '{{ .Release.Namespace }}'
   labels:
     control-plane: envoy-gateway
   {{- include "eg.labels" . | nindent 4 }}
diff --git a/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml b/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
index b19069eec0c..bd5f1c6b8e2 100644
--- a/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-metrics-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: envoy-gateway-metrics-service
+  namespace: '{{ .Release.Namespace }}'
   labels:
     control-plane: envoy-gateway
   {{- include "eg.labels" . | nindent 4 }}
diff --git a/charts/gateway-helm/templates/envoy-gateway-service.yaml b/charts/gateway-helm/templates/envoy-gateway-service.yaml
index 1b1a0c283a4..b9dd4cd5f22 100644
--- a/charts/gateway-helm/templates/envoy-gateway-service.yaml
+++ b/charts/gateway-helm/templates/envoy-gateway-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: envoy-gateway
+  namespace: '{{ .Release.Namespace }}'
   labels:
     control-plane: envoy-gateway
   {{- include "eg.labels" . | nindent 4 }}
diff --git a/charts/gateway-helm/templates/infra-manager-rbac.yaml b/charts/gateway-helm/templates/infra-manager-rbac.yaml
index 95b8669bc31..6f3e5a4677f 100644
--- a/charts/gateway-helm/templates/infra-manager-rbac.yaml
+++ b/charts/gateway-helm/templates/infra-manager-rbac.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "eg.fullname" . }}-infra-manager
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
@@ -29,6 +30,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "eg.fullname" . }}-infra-manager
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 roleRef:
diff --git a/charts/gateway-helm/templates/leader-election-rbac.yaml b/charts/gateway-helm/templates/leader-election-rbac.yaml
index ffd849f4272..5b59f34c7ca 100644
--- a/charts/gateway-helm/templates/leader-election-rbac.yaml
+++ b/charts/gateway-helm/templates/leader-election-rbac.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "eg.fullname" . }}-leader-election-role
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
@@ -41,6 +42,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "eg.fullname" . }}-leader-election-rolebinding
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 roleRef:
diff --git a/charts/gateway-helm/templates/metrics-reader-rbac.yaml b/charts/gateway-helm/templates/metrics-reader-rbac.yaml
index b3bec93b99b..3b77e714185 100644
--- a/charts/gateway-helm/templates/metrics-reader-rbac.yaml
+++ b/charts/gateway-helm/templates/metrics-reader-rbac.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "eg.fullname" . }}-metrics-reader
+  namespace: '{{ .Release.Namespace }}'
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
diff --git a/charts/gateway-helm/templates/namespace.yaml b/charts/gateway-helm/templates/namespace.yaml
new file mode 100644
index 00000000000..0361b229daa
--- /dev/null
+++ b/charts/gateway-helm/templates/namespace.yaml
@@ -0,0 +1,6 @@
+{{ if .Values.createNamespace }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: '{{ .Release.Namespace }}' 
+{{ end }}    
diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml
index 94bbd583d27..d1fdd1979d9 100644
--- a/charts/gateway-helm/values.tmpl.yaml
+++ b/charts/gateway-helm/values.tmpl.yaml
@@ -42,3 +42,4 @@ envoyGatewayMetricsService:
     protocol: TCP
     targetPort: https
 
+createNamespace: false
diff --git a/docs/latest/user/customize-envoyproxy.md b/docs/latest/user/customize-envoyproxy.md
index b17ee01745c..c8ca9b357fc 100644
--- a/docs/latest/user/customize-envoyproxy.md
+++ b/docs/latest/user/customize-envoyproxy.md
@@ -171,13 +171,82 @@ metadata:
   namespace: envoy-gateway-system
 spec:
   bootstrap: |
-    xxxxxxxxxx
-
+    admin:
+      access_log:
+      - name: envoy.access_loggers.file
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+          path: /dev/null
+      address:
+        socket_address:
+          address: 127.0.0.1
+          port_value: 20000
+    dynamic_resources:
+      ads_config:
+        api_type: DELTA_GRPC
+        transport_api_version: V3
+        grpc_services:
+        - envoy_grpc:
+            cluster_name: xds_cluster
+        set_node_on_first_message_only: true
+      lds_config:
+        ads: {}
+      cds_config:
+        ads: {}
+    static_resources:
+      clusters:
+      - connect_timeout: 10s
+        load_assignment:
+          cluster_name: xds_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: envoy-gateway
+                    port_value: 18000
+        typed_extension_protocol_options:
+          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions":
+             "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+             "explicit_http_config":
+               "http2_protocol_options": {}
+        name: xds_cluster
+        type: STRICT_DNS
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+            common_tls_context:
+              tls_params:
+                tls_maximum_protocol_version: TLSv1_3
+              tls_certificate_sds_secret_configs:
+              - name: xds_certificate
+                sds_config:
+                  path_config_source:
+                    path: "/sds/xds-certificate.json"
+                  resource_api_version: V3
+              validation_context_sds_secret_config:
+                name: xds_trusted_ca
+                sds_config:
+                  path_config_source:
+                    path: "/sds/xds-trusted-ca.json"
+                  resource_api_version: V3
+    layered_runtime:
+      layers:
+      - name: runtime-0
+        rtds_layer:
+          rtds_config:
+            ads: {}
+          name: runtime-0
 EOF
 ```
 
+You can use [egctl translate](https://gateway.envoyproxy.io/latest/user/egctl.html#validating-gateway-api-configuration)
+to get the default xDS Bootstrap configuration used by Envoy Gateway.
+
 After applying the config, the bootstrap config will be overridden by the new config you provided.
-Envoy Gateway will use Webhook to validate the bootstrap config you provided.
+Any errors in the configuration will be surfaced as status within the `GatewayClass` resource.
+You can also validate this configuration using [egctl translate](https://gateway.envoyproxy.io/latest/user/egctl.html#validating-gateway-api-configuration).
 
 [Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: https://www.envoyproxy.io/
+[EnvoyProxy]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy 
diff --git a/docs/latest/user/egctl.md b/docs/latest/user/egctl.md
index b32c4a2c285..76693eb2609 100644
--- a/docs/latest/user/egctl.md
+++ b/docs/latest/user/egctl.md
@@ -391,12 +391,14 @@ dynamicRouteConfigs:
 resourceType: route
 ```
 
+### Add Missing Resources
+
 You can pass the `--add-missing-resources` flag to use dummy non Gateway API resources instead of specifying them explicitly.
 
 For example, this will provide the same result as the above:
 
 ```shell
-cat <<EOF | egctl x translate --add-missing-resources --from gateway-api --to xds -t route -f -
+cat <<EOF | egctl x translate --add-missing-resources --from gateway-api --to gateway-api -t route -f -
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
 metadata:
@@ -459,6 +461,175 @@ spec:
 EOF
 ```
 
+You can see the output contains a [EnvoyProxy](https://gateway.envoyproxy.io/latest/api/config_types.html#envoyproxy) resource that
+can be used as a starting point to modify the xDS bootstrap resource for the managed Envoy Proxy fleet.
+
+```yaml
+envoyProxy:
+  metadata:
+    creationTimestamp: null
+    name: default-envoy-proxy
+    namespace: envoy-gateway-system
+  spec:
+    bootstrap: |
+      admin:
+        access_log:
+        - name: envoy.access_loggers.file
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+            path: /dev/null
+        address:
+          socket_address:
+            address: 127.0.0.1
+            port_value: 19000
+      dynamic_resources:
+        ads_config:
+          api_type: DELTA_GRPC
+          transport_api_version: V3
+          grpc_services:
+          - envoy_grpc:
+              cluster_name: xds_cluster
+          set_node_on_first_message_only: true
+        lds_config:
+          ads: {}
+        cds_config:
+          ads: {}
+      static_resources:
+        clusters:
+        - connect_timeout: 10s
+          load_assignment:
+            cluster_name: xds_cluster
+            endpoints:
+            - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: envoy-gateway
+                      port_value: 18000
+          typed_extension_protocol_options:
+            "envoy.extensions.upstreams.http.v3.HttpProtocolOptions":
+               "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+               "explicit_http_config":
+                 "http2_protocol_options": {}
+          name: xds_cluster
+          type: STRICT_DNS
+          transport_socket:
+            name: envoy.transport_sockets.tls
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+              common_tls_context:
+                tls_params:
+                  tls_maximum_protocol_version: TLSv1_3
+                tls_certificate_sds_secret_configs:
+                - name: xds_certificate
+                  sds_config:
+                    path_config_source:
+                      path: "/sds/xds-certificate.json"
+                    resource_api_version: V3
+                validation_context_sds_secret_config:
+                  name: xds_trusted_ca
+                  sds_config:
+                    path_config_source:
+                      path: "/sds/xds-trusted-ca.json"
+                    resource_api_version: V3
+      layered_runtime:
+        layers:
+        - name: runtime-0
+          rtds_layer:
+            rtds_config:
+              ads: {}
+            name: runtime-0
+    logging: {}
+  status: {}
+gatewayClass:
+  metadata:
+    creationTimestamp: null
+    name: eg
+    namespace: envoy-gateway-system
+  spec:
+    controllerName: gateway.envoyproxy.io/gatewayclass-controller
+    parametersRef:
+      group: config.gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: default-envoy-proxy
+      namespace: envoy-gateway-system
+  status:
+    conditions:
+    - lastTransitionTime: "2023-04-19T20:30:46Z"
+      message: Valid GatewayClass
+      reason: Accepted
+      status: "True"
+      type: Accepted
+gateways:
+- metadata:
+    creationTimestamp: null
+    name: eg
+    namespace: default
+  spec:
+    gatewayClassName: eg
+    listeners:
+    - name: http
+      port: 80
+      protocol: HTTP
+  status:
+    listeners:
+    - attachedRoutes: 1
+      conditions:
+      - lastTransitionTime: "2023-04-19T20:30:46Z"
+        message: Sending translated listener configuration to the data plane
+        reason: Programmed
+        status: "True"
+        type: Programmed
+      - lastTransitionTime: "2023-04-19T20:30:46Z"
+        message: Listener has been successfully translated
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      name: http
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+      - group: gateway.networking.k8s.io
+        kind: GRPCRoute
+httpRoutes:
+- metadata:
+    creationTimestamp: null
+    name: backend
+    namespace: default
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - name: eg
+    rules:
+    - backendRefs:
+      - group: ""
+        kind: Service
+        name: backend
+        port: 3000
+        weight: 1
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+  status:
+    parents:
+    - conditions:
+      - lastTransitionTime: "2023-04-19T20:30:46Z"
+        message: Route is accepted
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: "2023-04-19T20:30:46Z"
+        message: Resolved all the Object references for the Route
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+      parentRef:
+        name: eg
+```
+
 Sometimes you might find that egctl doesn't provide an expected result. For example, the following example provides an empty route resource:
 
 ```shell
@@ -503,21 +674,96 @@ EOF
 ```
 
 ```yaml
-'@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump
-configKey: envoy-gateway-system-eg
-resourceType: route
+xds:
+  envoy-gateway-system-eg:
+    '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump
 ```
 
+### Validating Gateway API Configuration
+
 You can add an additional target `gateway-api` to show the processed Gateway API resources. For example, translating the above resources with the new argument shows that the HTTPRoute is rejected because there is no ready listener for it:
 
 ```shell
 cat <<EOF | egctl x translate --from gateway-api --type route --to gateway-api,xds -f -
-...
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: eg
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: eg
+spec:
+  gatewayClassName: eg
+  listeners:
+    - name: tls
+      protocol: TLS
+      port: 8443
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+    - name: eg
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: backend
+          port: 3000
+          weight: 1
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+EOF
 ```
 
 ```yaml
-...
-HTTPRoutes:
+gatewayClass:
+  metadata:
+    creationTimestamp: null
+    name: eg
+    namespace: envoy-gateway-system
+  spec:
+    controllerName: gateway.envoyproxy.io/gatewayclass-controller
+  status:
+    conditions:
+    - lastTransitionTime: "2023-04-19T20:54:52Z"
+      message: Valid GatewayClass
+      reason: Accepted
+      status: "True"
+      type: Accepted
+gateways:
+- metadata:
+    creationTimestamp: null
+    name: eg
+    namespace: envoy-gateway-system
+  spec:
+    gatewayClassName: eg
+    listeners:
+    - name: tls
+      port: 8443
+      protocol: TLS
+  status:
+    listeners:
+    - attachedRoutes: 0
+      conditions:
+      - lastTransitionTime: "2023-04-19T20:54:52Z"
+        message: Listener must have TLS set when protocol is TLS.
+        reason: Invalid
+        status: "False"
+        type: Programmed
+      name: tls
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: TLSRoute
+httpRoutes:
 - metadata:
     creationTimestamp: null
     name: backend
@@ -539,24 +785,20 @@ HTTPRoutes:
   status:
     parents:
     - conditions:
-      - lastTransitionTime: "2023-03-21T12:03:11Z"
+      - lastTransitionTime: "2023-04-19T20:54:52Z"
         message: There are no ready listeners for this parent ref
         reason: NoReadyListeners
         status: "False"
         type: Accepted
+      - lastTransitionTime: "2023-04-19T20:54:52Z"
+        message: Service envoy-gateway-system/backend not found
+        reason: BackendNotFound
+        status: "False"
+        type: ResolvedRefs
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
       parentRef:
         name: eg
-...
----
-'@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump
-configKey: envoy-gateway-system-eg
-resourceType: route
-```
-
-You can also specify the `--to gateway-api` to output the processed resources only:
-
-```shell
-cat <<EOF | egctl x translate --from gateway-api --type route --to gateway-api -f -
-...
+xds:
+  envoy-gateway-system-eg:
+    '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump
 ```
diff --git a/docs/latest/user/rsa+ecdsa-secure-gateways.md b/docs/latest/user/rsa+ecdsa-secure-gateways.md
deleted file mode 100644
index 577e7c99cf4..00000000000
--- a/docs/latest/user/rsa+ecdsa-secure-gateways.md
+++ /dev/null
@@ -1,116 +0,0 @@
-# RSA + ECDSA Dual stack certificates
-
-This guide gives a walkthrough to generate RSA and ECDSA derived certificates and keys for the Server, which can then be configured in the Gateway listener, to terminate TLS traffic.
-
-## Prerequisites
-
-- OpenSSL to generate TLS assets.
-
-## Installation
-
-Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
-Before proceeding, you should be able to query the example backend using HTTP.
-
-Follow the steps in the [Secure Gateways](secure-gateways.md) guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
-
-
-## Pre-checks
-
-While testing in [Cluster without External LoadBalancer Support](secure-gateways.md#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below:
-
-```shell
-curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
---cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
-```
-
-Since the Secret configured at this point is an RSA based Secret, if we enforce the usage of an ECDSA cipher, the call should fail as follows
-
-```shell
-$ curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
---cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
-
-* Added www.example.com:8443:127.0.0.1 to DNS cache
-* Hostname www.example.com was found in DNS cache
-*   Trying 127.0.0.1:8443...
-* Connected to www.example.com (127.0.0.1) port 8443 (#0)
-* ALPN: offers h2
-* ALPN: offers http/1.1
-* Cipher selection: ECDHE-ECDSA-CHACHA20-POLY1305
-*  CAfile: example.com.crt
-*  CApath: none
-* (304) (OUT), TLS handshake, Client hello (1):
-* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
-* Closing connection 0
-```
-
-Moving forward in the doc, we will be configuring the existing Gateway listener to accept both kinds of ciphers.
-
-## TLS Certificates
-
-Reuse the the CA certificate and key pair generated in the [Secure Gateways](secure-gateways.md) guide and use this CA to sign both RSA and ECDSA Server certificates. 
-Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively.
-
-
-Create an ECDSA certificate and a private key for `www.example.com`:
-
-```shell
-openssl ecparam -noout -genkey -name prime256v1 -out www.example.com.ecdsa.key
-openssl req -new -SHA384 -key www.example.com.ecdsa.key -nodes -out www.example.com.ecdsa.csr -subj "/CN=www.example.com/O=example organization"
-openssl x509 -req -SHA384  -days 365 -in www.example.com.ecdsa.csr -CA example.com.crt -CAkey example.com.key -CAcreateserial -out www.example.com.ecdsa.crt 
-```
-
-Store the cert/key in a Secret:
-
-```shell
-kubectl create secret tls example-cert-ecdsa --key=www.example.com.ecdsa.key --cert=www.example.com.ecdsa.crt
-```
-
-Patch the Gateway with this additional ECDSA Secret:
-
-```shell
-kubectl patch gateway eg --type=json --patch '[{
-   "op": "add",
-   "path": "/spec/listeners/1/tls/certificateRefs/-",
-   "value": {
-      "name": "example-cert-ecdsa",
-    },
-}]'
-```
-
-Verify the Gateway status:
-
-```shell
-kubectl get gateway/eg -o yaml
-```
-
-## Testing
-
-Again, while testing in Cluster without External LoadBalancer Support, we can query the example app through Envoy proxy while enforcing an RSA cipher, which should work as it did before:
-
-```shell
-curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
---cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
-```
-
-```shell
-...
-* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
-* TLSv1.2 (IN), TLS handshake, Finished (20):
-* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
-...
-```
-
-Additionally, querying the example app while enforcing an ECDSA cipher should also work now:
-
-```shell
-curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
---cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
-```
-
-```shell
-...
-* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
-* TLSv1.2 (IN), TLS handshake, Finished (20):
-* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
-...
-```
diff --git a/docs/latest/user/secure-gateways.md b/docs/latest/user/secure-gateways.md
index c0e2b3bb37c..968c9581d68 100644
--- a/docs/latest/user/secure-gateways.md
+++ b/docs/latest/user/secure-gateways.md
@@ -249,6 +249,118 @@ kubectl delete secret/example-cert
 kubectl delete secret/foo-cert
 ```
 
+# RSA + ECDSA Dual stack certificates
+
+This guide gives a walkthrough to generate RSA and ECDSA derived certificates and keys for the Server, which can then be configured in the Gateway listener, to terminate TLS traffic.
+
+## Prerequisites
+
+Follow the steps from the [Quickstart Guide](quickstart.md) to install Envoy Gateway and the example manifest.
+Before proceeding, you should be able to query the example backend using HTTP.
+
+Follow the steps in the [Secure Gateways](secure-gateways.md) guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic.
+
+## Pre-checks
+
+While testing in [Cluster without External LoadBalancer Support](secure-gateways.md#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below:
+
+```shell
+curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
+--cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
+```
+
+Since the Secret configured at this point is an RSA based Secret, if we enforce the usage of an ECDSA cipher, the call should fail as follows
+
+```shell
+$ curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
+--cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
+
+* Added www.example.com:8443:127.0.0.1 to DNS cache
+* Hostname www.example.com was found in DNS cache
+*   Trying 127.0.0.1:8443...
+* Connected to www.example.com (127.0.0.1) port 8443 (#0)
+* ALPN: offers h2
+* ALPN: offers http/1.1
+* Cipher selection: ECDHE-ECDSA-CHACHA20-POLY1305
+*  CAfile: example.com.crt
+*  CApath: none
+* (304) (OUT), TLS handshake, Client hello (1):
+* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
+* Closing connection 0
+```
+
+Moving forward in the doc, we will be configuring the existing Gateway listener to accept both kinds of ciphers.
+
+## TLS Certificates
+
+Reuse the the CA certificate and key pair generated in the [Secure Gateways](secure-gateways.md) guide and use this CA to sign both RSA and ECDSA Server certificates.
+Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively.
+
+
+Create an ECDSA certificate and a private key for `www.example.com`:
+
+```shell
+openssl ecparam -noout -genkey -name prime256v1 -out www.example.com.ecdsa.key
+openssl req -new -SHA384 -key www.example.com.ecdsa.key -nodes -out www.example.com.ecdsa.csr -subj "/CN=www.example.com/O=example organization"
+openssl x509 -req -SHA384  -days 365 -in www.example.com.ecdsa.csr -CA example.com.crt -CAkey example.com.key -CAcreateserial -out www.example.com.ecdsa.crt
+```
+
+Store the cert/key in a Secret:
+
+```shell
+kubectl create secret tls example-cert-ecdsa --key=www.example.com.ecdsa.key --cert=www.example.com.ecdsa.crt
+```
+
+Patch the Gateway with this additional ECDSA Secret:
+
+```shell
+kubectl patch gateway eg --type=json --patch '[{
+   "op": "add",
+   "path": "/spec/listeners/1/tls/certificateRefs/-",
+   "value": {
+      "name": "example-cert-ecdsa",
+    },
+}]'
+```
+
+Verify the Gateway status:
+
+```shell
+kubectl get gateway/eg -o yaml
+```
+
+## Testing
+
+Again, while testing in Cluster without External LoadBalancer Support, we can query the example app through Envoy proxy while enforcing an RSA cipher, which should work as it did before:
+
+```shell
+curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
+--cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
+```
+
+```shell
+...
+* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (IN), TLS handshake, Finished (20):
+* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
+...
+```
+
+Additionally, querying the example app while enforcing an ECDSA cipher should also work now:
+
+```shell
+curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \
+--cacert example.com.crt https://www.example.com:8443/get  -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2
+```
+
+```shell
+...
+* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (IN), TLS handshake, Finished (20):
+* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
+...
+```
+
 ## Next Steps
 
 Checkout the [Developer Guide](../dev/README.md) to get involved in the project.
diff --git a/internal/extension/testutils/hooks.go b/internal/extension/testutils/hooks.go
index 3905923de79..d42867163ba 100644
--- a/internal/extension/testutils/hooks.go
+++ b/internal/extension/testutils/hooks.go
@@ -16,6 +16,7 @@ import (
 	listenerV3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	routeV3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	tlsV3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+	"github.com/golang/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -24,16 +25,20 @@ type XDSHookClient struct{}
 
 // PostRouteModifyHook returns a modified version of the route using context info and the passed in extensionResources
 func (c *XDSHookClient) PostRouteModifyHook(route *routeV3.Route, routeHostnames []string, extensionResources []*unstructured.Unstructured) (*routeV3.Route, error) {
+	// Simulate an error an extension may return
+	if route.Name == "extension-post-xdsroute-hook-error" {
+		return nil, errors.New("route hook resource error")
+	}
+
+	// Setup a new route to avoid operating directly on the passed in pointer for better test coverage that the
+	// route we are returning gets used properly
+	modifiedRoute := proto.Clone(route).(*routeV3.Route)
 	for _, extensionResource := range extensionResources {
-		// Simulate an error an extension may return
-		if route.Name == "extension-post-xdsroute-hook-error" {
-			return nil, errors.New("route hook resource error")
-		}
-		route.ResponseHeadersToAdd = append(route.ResponseHeadersToAdd,
+		modifiedRoute.ResponseHeadersToAdd = append(modifiedRoute.ResponseHeadersToAdd,
 			&coreV3.HeaderValueOption{
 				Header: &coreV3.HeaderValue{
 					Key:   "mock-extension-was-here-route-name",
-					Value: route.Name,
+					Value: modifiedRoute.Name,
 				},
 			},
 			&coreV3.HeaderValueOption{
@@ -68,7 +73,7 @@ func (c *XDSHookClient) PostRouteModifyHook(route *routeV3.Route, routeHostnames
 			},
 		)
 	}
-	return route, nil
+	return modifiedRoute, nil
 }
 
 // PostVirtualHostModifyHook returns a modified version of the virtualhost with a new route injected
@@ -78,7 +83,10 @@ func (c *XDSHookClient) PostVirtualHostModifyHook(vh *routeV3.VirtualHost) (*rou
 	if vh.Name == "extension-post-xdsvirtualhost-hook-error" {
 		return nil, fmt.Errorf("extension post xds virtual host hook error")
 	} else if vh.Name == "extension-listener" {
-		vh.Routes = append(vh.Routes, &routeV3.Route{
+		// Setup a new VirtualHost to avoid operating directly on the passed in pointer for better test coverage that the
+		// VirtualHost we are returning gets used properly
+		modifiedVH := proto.Clone(vh).(*routeV3.VirtualHost)
+		modifiedVH.Routes = append(modifiedVH.Routes, &routeV3.Route{
 			Name: "mock-extension-inserted-route",
 			Action: &routeV3.Route_DirectResponse{
 				DirectResponse: &routeV3.DirectResponseAction{
@@ -86,6 +94,7 @@ func (c *XDSHookClient) PostVirtualHostModifyHook(vh *routeV3.VirtualHost) (*rou
 				},
 			},
 		})
+		return modifiedVH, nil
 	}
 	return vh, nil
 }
@@ -100,7 +109,11 @@ func (c *XDSHookClient) PostHTTPListenerModifyHook(l *listenerV3.Listener) (*lis
 	if l.Name == "extension-post-xdslistener-hook-error" {
 		return nil, fmt.Errorf("extension post xds listener hook error")
 	} else if l.Name == "extension-listener" {
-		l.StatPrefix = "mock-extension-inserted-prefix"
+		// Setup a new Listener to avoid operating directly on the passed in pointer for better test coverage that the
+		// Listener we are returning gets used properly
+		modifiedListener := proto.Clone(l).(*listenerV3.Listener)
+		modifiedListener.StatPrefix = "mock-extension-inserted-prefix"
+		return modifiedListener, nil
 	}
 	return l, nil
 }
diff --git a/internal/xds/translator/extension.go b/internal/xds/translator/extension.go
index c1248c7129d..0c925a75149 100644
--- a/internal/xds/translator/extension.go
+++ b/internal/xds/translator/extension.go
@@ -9,6 +9,10 @@
 package translator
 
 import (
+	"errors"
+	"fmt"
+	"reflect"
+
 	clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@@ -17,11 +21,10 @@ import (
 	resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
-	"github.com/envoyproxy/gateway/internal/ir"
-	"github.com/envoyproxy/gateway/internal/xds/types"
-
 	"github.com/envoyproxy/gateway/api/config/v1alpha1"
 	extensionTypes "github.com/envoyproxy/gateway/internal/extension/types"
+	"github.com/envoyproxy/gateway/internal/ir"
+	"github.com/envoyproxy/gateway/internal/xds/types"
 )
 
 func processExtensionPostRouteHook(route *routev3.Route, vHost *routev3.VirtualHost, irRoute *ir.HTTPRoute, em *extensionTypes.Manager) error {
@@ -53,9 +56,9 @@ func processExtensionPostRouteHook(route *routev3.Route, vHost *routev3.VirtualH
 
 	// If the extension returned a modified Route, then copy its to the one that was passed in as a reference
 	if modifiedRoute != nil {
-		// Overwrite the pointer for the original route.
-		// Uses nolint because of the ineffectual assignment check
-		route = modifiedRoute //nolint
+		if err = deepCopyPtr(modifiedRoute, route); err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -81,9 +84,9 @@ func processExtensionPostVHostHook(vHost *routev3.VirtualHost, em *extensionType
 
 	// If the extension returned a modified Virtual Host, then copy its to the one that was passed in as a reference
 	if modifiedVH != nil {
-		// Overwrite the pointer for the original virtual host.
-		// Uses nolint because of the ineffectual assignment check
-		vHost = modifiedVH //nolint
+		if err = deepCopyPtr(modifiedVH, vHost); err != nil {
+			return err
+		}
 	}
 
 	return nil
@@ -168,3 +171,24 @@ func processExtensionPostTranslationHook(tCtx *types.ResourceVersionTable, em *e
 
 	return nil
 }
+
+func deepCopyPtr(src interface{}, dest interface{}) error {
+	if src == nil || dest == nil {
+		return errors.New("cannot deep copy nil pointer")
+	}
+	srcVal := reflect.ValueOf(src)
+	destVal := reflect.ValueOf(src)
+	if srcVal.Kind() == reflect.Ptr && destVal.Kind() == reflect.Ptr {
+		srcElem := srcVal.Elem()
+		destVal = reflect.New(srcElem.Type())
+		destElem := destVal.Elem()
+		destElem.Set(srcElem)
+		reflect.ValueOf(dest).Elem().Set(destVal.Elem())
+	} else {
+		return fmt.Errorf("cannot deep copy pointers to different kinds src %v != dest %v",
+			srcVal.Kind(),
+			destVal.Kind(),
+		)
+	}
+	return nil
+}
diff --git a/tools/make/kube.mk b/tools/make/kube.mk
index 77e1e9e7026..759cb596d34 100644
--- a/tools/make/kube.mk
+++ b/tools/make/kube.mk
@@ -125,7 +125,7 @@ generate-manifests: helm-generate ## Generate Kubernetes release manifests.
 	@$(LOG_TARGET)
 	@$(call log, "Generating kubernetes manifests")
 	mkdir -p $(OUTPUT_DIR)/
-	helm template eg charts/gateway-helm --include-crds --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) > $(OUTPUT_DIR)/install.yaml
+	helm template --set createNamespace=true eg charts/gateway-helm --include-crds --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) --namespace envoy-gateway-system > $(OUTPUT_DIR)/install.yaml
 	@$(call log, "Added: $(OUTPUT_DIR)/install.yaml")
 	cp examples/kubernetes/quickstart.yaml $(OUTPUT_DIR)/quickstart.yaml
 	@$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml")