diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh
index fb71fbf..87f4dfc 100755
--- a/charts/kubezero/bootstrap.sh
+++ b/charts/kubezero/bootstrap.sh
@@ -93,7 +93,7 @@ function _helm() {
   local action=$1
   local module=$2
 
-  local chart="kubezero-${module}"
+  local chart="$(yq eval '.spec.source.chart' $TMPDIR/kubezero/templates/${module}.yaml)"
   local namespace="$(yq eval '.spec.destination.namespace' $TMPDIR/kubezero/templates/${module}.yaml)"
 
   targetRevision=""
@@ -123,7 +123,7 @@ function _helm() {
     apply
 
     # Delete dedicated namespace if not kube-system
-    delete_ns $namespace
+    [ -n "$DELETE_NS" ] && delete_ns $namespace
   fi
 
   return 0
diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml
new file mode 100644
index 0000000..d26f8ef
--- /dev/null
+++ b/charts/kubezero/templates/istio-ingress.yaml
@@ -0,0 +1,80 @@
+{{- define "istio-ingress-values" }}
+
+gateway:
+  name: istio-ingressgateway
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+
+  # Only nodes who are fronted with matching private NLB
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node.kubernetes.io/ingress.public
+            operator: Exists
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - istio-ingressgateway
+        topologyKey: "kubernetes.io/hostname"
+
+  service:
+    ports:
+    - name: status-port
+      port: 15021
+      nodePort: 30021
+      noGateway: true
+    - name: http2
+      port: 80
+      targetPort: 8080
+      nodePort: 30080
+      gatewayProtocol: HTTP2
+      tls:
+        httpsRedirect: true
+    - name: https
+      port: 443
+      targetPort: 8443
+      nodePort: 30443
+      gatewayProtocol: HTTPS
+      tls:
+        mode: SIMPLE
+
+  # custom hardened bootstrap config
+  env:
+    ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+  volumes:
+    - name: custom-bootstrap-volume
+      configMap:
+        name: ingressgateway-bootstrap-config
+  volumeMounts:
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+      readOnly: true
+
+  {{- with index .Values "istio-ingress" "gateway" }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+
+telemetry:
+  enabled: {{ $.Values.metrics.enabled }}
+certificates:
+{{- range $cert := index .Values "istio-ingress" "certificates" }}
+- name: {{ $cert.name }}
+  dnsNames:
+  {{- toYaml $cert.dnsNames | nindent 4 }}
+{{- end }}
+proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
+
+{{- end }}
+
+
+{{- define "istio-ingress-argo" }}
+{{- end }}
+
+{{ include "kubezero-app.app" . }}
diff --git a/charts/kubezero/templates/istio-private-ingress.yaml b/charts/kubezero/templates/istio-private-ingress.yaml
index ae18564..bd6433e 100644
--- a/charts/kubezero/templates/istio-private-ingress.yaml
+++ b/charts/kubezero/templates/istio-private-ingress.yaml
@@ -2,13 +2,68 @@
 
 gateway:
   name: istio-private-ingressgateway
-  labels:    
+  labels:
     app: istio-private-ingressgateway
     istio: private-ingressgateway
-  {{- with index .Values "istio-private-ingress" "gateway" }}
-  {{- toYaml . | nindent 2 }}
+
+  {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }}
+  replicaCount: {{ . }}
   {{- end }}
 
+  # Only nodes who are fronted with matching private NLB
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: node.kubernetes.io/ingress.private
+            operator: Exists
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app
+            operator: In
+            values:
+            - istio-private-ingressgateway
+        topologyKey: "kubernetes.io/hostname"
+
+  service:
+    ports:
+    - name: status-port
+      port: 15021
+      nodePort: 31021
+      noGateway: true
+    - name: http2
+      port: 80
+      targetPort: 8080
+      nodePort: 31080
+      gatewayProtocol: HTTP2
+      tls:
+        httpsRedirect: true
+    - name: https
+      port: 443
+      targetPort: 8443
+      nodePort: 31443
+      gatewayProtocol: HTTPS
+      tls:
+        mode: SIMPLE
+  {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+  # custom hardened bootstrap config
+  env:
+    ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+  volumes:
+    - name: custom-bootstrap-volume
+      configMap:
+        name: private-ingressgateway-bootstrap-config
+  volumeMounts:
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+      readOnly: true
+
 telemetry:
   enabled: {{ $.Values.metrics.enabled }}
 certificates:
diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml
index d8f0087..035cc8e 100644
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@@ -35,6 +35,7 @@ istio:
 
 istio-ingress:
   enabled: false
+  chart: kubezero-istio-gateway
   namespace: istio-ingress
   targetRevision: 0.8.0