diff --git a/nullplatform/base/locals.tf b/nullplatform/base/locals.tf
index a1e4a496..e0034ba9 100644
--- a/nullplatform/base/locals.tf
+++ b/nullplatform/base/locals.tf
@@ -26,7 +26,9 @@ locals {
       gateway_enabled                             = var.gateway_enabled ? "true" : "false"
       gateway_internal_enabled                    = var.gateway_internal_enabled ? "true" : "false"
       gateway_public_enabled                      = var.gateway_public_enabled ? "true" : "false"
+      gateway_public_name                         = var.gateway_public_name
       gateway_internal_azure_load_balancer_subnet = var.internal_azure_load_balancer_subnet
+      gateway_public_load_balancer_type           = var.gateway_public_load_balancer_type
       gateway_public_aws_name                     = var.gateway_public_aws_name
       gateway_internal_aws_name                   = var.gateway_internal_aws_name
       gateway_public_aws_dns_name                 = var.gateway_public_aws_dns_name
diff --git a/nullplatform/base/main.tf b/nullplatform/base/main.tf
index 1e83558e..4b7e06fe 100644
--- a/nullplatform/base/main.tf
+++ b/nullplatform/base/main.tf
@@ -8,10 +8,13 @@ resource "kubernetes_namespace_v1" "nullplatform_tools" {
   metadata {
     name = var.namespace
     labels = {
-      name = var.namespace
+      name                           = var.namespace
+      "app.kubernetes.io/managed-by" = "Helm"
     }
     annotations = {
       "openshift.io/cluster-monitoring" = "true"
+      "meta.helm.sh/release-name"       = "nullplatform-base"
+      "meta.helm.sh/release-namespace"  = var.namespace
     }
   }
 }
diff --git a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
index 09d54804..5711269d 100644
--- a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
+++ b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
@@ -54,7 +54,7 @@ gateway:
       maxReplicas: 10
     loadBalancerType: "internal"  # internal, external
   public:
-    name: "gateway-public"
+    name: "${gateway_public_name}"
     enabled: ${gateway_public_enabled}
     aws:
       name: ${gateway_public_aws_name}
@@ -72,7 +72,7 @@ gateway:
     autoscaling:
       minReplicas: 2
       maxReplicas: 10
-    loadBalancerType: "external"  # internal, external
+    loadBalancerType: "${gateway_public_load_balancer_type}"
 # Nullplatform configurations
 nullplatform:
   apiKey: "${np_api_key}"
diff --git a/nullplatform/base/tests/base_values.tftest.hcl b/nullplatform/base/tests/base_values.tftest.hcl
index 3f3bc0a7..12dbf1b3 100644
--- a/nullplatform/base/tests/base_values.tftest.hcl
+++ b/nullplatform/base/tests/base_values.tftest.hcl
@@ -222,3 +222,51 @@ run "newrelic_metrics_disabled" {
     error_message = "newrelic metricsEnabled should be false"
   }
 }
+
+############################################
+# public gateway name + load balancer type
+############################################
+
+run "gateway_public_name_defaults_to_gateway_public" {
+  command = plan
+
+  assert {
+    condition     = strcontains(output.rendered_values, "name: \"gateway-public\"")
+    error_message = "public gateway name should default to gateway-public so existing installs keep their Gateway and HTTPRoute parentRefs"
+  }
+}
+
+run "gateway_public_name_override" {
+  command = plan
+
+  variables {
+    gateway_public_name = "internet-facing"
+  }
+
+  assert {
+    condition     = strcontains(output.rendered_values, "name: \"internet-facing\"")
+    error_message = "public gateway name should be overridable to match container-orchestration.gateway.public_name"
+  }
+}
+
+run "gateway_public_load_balancer_type_defaults_to_external" {
+  command = plan
+
+  assert {
+    condition     = strcontains(output.rendered_values, "loadBalancerType: \"external\"")
+    error_message = "public gateway loadBalancerType should default to external"
+  }
+}
+
+run "gateway_public_load_balancer_type_internal" {
+  command = plan
+
+  variables {
+    gateway_public_load_balancer_type = "internal"
+  }
+
+  assert {
+    condition     = strcontains(output.rendered_values, "loadBalancerType: \"internal\"\n")
+    error_message = "public gateway loadBalancerType should be settable to internal for Cloudflare Tunnel / VPN setups"
+  }
+}
diff --git a/nullplatform/base/variables.tf b/nullplatform/base/variables.tf
index 46bba233..29d68f8b 100644
--- a/nullplatform/base/variables.tf
+++ b/nullplatform/base/variables.tf
@@ -69,12 +69,28 @@ variable "gateway_public_enabled" {
   default     = true
 }
 
+variable "gateway_public_name" {
+  type        = string
+  description = "Name of the public Gateway resource created by the chart. Must match the gateway name the nullplatform agent resolves from container-orchestration.gateway.public_name (e.g. 'internet-facing' on AKS), otherwise HTTPRoutes are created with an unresolvable parentRef. Defaults to 'gateway-public' for backward compatibility: changing it on an existing install recreates the Gateway and orphans every HTTPRoute referencing the old name, causing a traffic outage until routes are regenerated."
+  default     = "gateway-public"
+}
+
 variable "internal_azure_load_balancer_subnet" {
   description = "The name of the subnet to use in azure private load balancer"
   type        = string
   default     = "load_balancer"
 }
 
+variable "gateway_public_load_balancer_type" {
+  type        = string
+  description = "Load balancer type for the public gateway. Use 'internal' for Cloudflare Tunnel / VPN setups where public access is proxied through the private network. Use 'external' for direct internet exposure."
+  default     = "external"
+  validation {
+    condition     = contains(["internal", "external"], var.gateway_public_load_balancer_type)
+    error_message = "Must be 'internal' or 'external'."
+  }
+}
+
 variable "gateway_use_cluster_ip" {
   description = ""
   type        = bool