diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/externalsecrets/external-apps-ingress-certificate.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/externalsecrets/external-apps-ingress-certificate.yaml
new file mode 100644
index 00000000..48f73ecf
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/externalsecrets/external-apps-ingress-certificate.yaml
@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-apps-ingress-certificate
+  namespace: openshift-ingress-operator
+spec:
+  secretStoreRef:
+    name: nerc-secret-store
+    kind: SecretStore
+  target:
+    name: external-apps-ingress-certificate
+    template:
+      type: kubernetes.io/tls
+  dataFrom:
+    - extract:
+        key: nerc/nerc-ocp-prod/openshift-ingress/external-apps-ingress-certificate
diff --git a/cluster-scope/overlays/nerc-ocp-prod/ingresscontrollers/external-apps-ingress-controller.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/ingresscontrollers/external-apps.yaml
similarity index 63%
rename from cluster-scope/overlays/nerc-ocp-prod/ingresscontrollers/external-apps-ingress-controller.yaml
rename to cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/ingresscontrollers/external-apps.yaml
index 563e2085..de74a080 100644
--- a/cluster-scope/overlays/nerc-ocp-prod/ingresscontrollers/external-apps-ingress-controller.yaml
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/ingresscontrollers/external-apps.yaml
@@ -1,9 +1,12 @@
 apiVersion: operator.openshift.io/v1
 kind: IngressController
 metadata:
-  name: external-apps-ingress-controller
+  name: external-apps
   namespace: openshift-ingress-operator
 spec:
+  # The "domain" setting does not automatically apply to routes as you might
+  # expect; see https://github.com/OCP-on-NERC/operations/issues/41 for
+  # details.
   domain: apps.shift.nerc.mghpcc.org
   defaultCertificate:
     name: external-apps-ingress-certificate
@@ -15,6 +18,6 @@ spec:
     nodeSelector:
       matchLabels:
         nerc.mghpcc.org/external-ingress: 'true'
-  namespaceSelector:
+  routeSelector:
     matchLabels:
-      type: external
+      nerc.mghpcc.org/external-ingress: 'true'
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/kustomization.yaml
new file mode 100644
index 00000000..92f9f0d0
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  nerg.mghpcc.org/feature: external-ingress
+
+resources:
+- ingresscontrollers/external-apps.yaml
+- externalsecrets/external-apps-ingress-certificate.yaml
+- post-sync-hook
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/job.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/job.yaml
new file mode 100644
index 00000000..3c474db8
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/job.yaml
@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-external-ingress-service
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: patcher
+      containers:
+        - name: patcher
+          # This is 4.10.42
+          image: quay.io/openshift/origin-cli:4.10
+          command:
+            - bash
+            - /scripts/apply-patches.sh
+            - /patches
+          volumeMounts:
+            - name: patch-scripts
+              mountPath: /scripts
+            - name: patches
+              mountPath: /patches
+
+      volumes:
+        - name: patch-scripts
+          configMap:
+            name: patch-scripts
+
+        - name: patches
+          configMap:
+            name: patches
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/kustomization.yaml
new file mode 100644
index 00000000..30d1e93d
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/kustomization.yaml
@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: openshift-ingress
+
+commonLabels:
+  app: patch-external-ingress-service
+
+resources:
+  - job.yaml
+  - serviceaccount.yaml
+  - role.yaml
+  - rolebinding.yaml
+
+configMapGenerator:
+  - name: patch-scripts
+    files:
+      - scripts/apply-patches.sh
+
+  - name: patches
+    files:
+      - patches/router-external-apps.patch.yaml
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/patches/router-external-apps.patch.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/patches/router-external-apps.patch.yaml
new file mode 100644
index 00000000..8a198ee9
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/patches/router-external-apps.patch.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    metallb.universe.tf/address-pool: public
+  name: router-external-apps
+spec:
+  loadBalancerIP: 199.94.61.6
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/role.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/role.yaml
new file mode 100644
index 00000000..d77125b9
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/role.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: patcher-allow-patching
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - patch
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/rolebinding.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/rolebinding.yaml
new file mode 100644
index 00000000..ba21e3e8
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/rolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: patcher-allow-patching
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: patcher-allow-patching
+subjects:
+- kind: ServiceAccount
+  name: patcher
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/scripts/apply-patches.sh b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/scripts/apply-patches.sh
new file mode 100644
index 00000000..0cc0bcb8
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/scripts/apply-patches.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+PATCH_DIR="$1"
+
+shopt -s nullglob
+
+mapfile -t patches < <(printf "%s\n" \
+    "$PATCH_DIR"/*.patch.yaml \
+    "$PATCH_DIR"/*.jsonpatch.yaml \
+    "$PATCH_DIR"/*.jsonmerge.yaml | sort)
+
+for patch in "${patches[@]}"; do
+
+    # For strategic merge patches it's possible to infer the target of the patch
+    # from the patch itself, but other patch types -- such as JSONPatch patches
+    # -- require us to provide an explicit target.
+    #
+    # The following code replaces the patch type in the filename with "target"
+    # (so that "something.patch.yaml" becomes "something.target.yaml"), and
+    # if the resulting filename exists it will be used to determine the
+    # target of the patch.
+    targetname=$(awk -vOFS=. -F. '{$(NF-1) = "target"; print}' <<<"$patch")
+
+    if [[ -f "$targetname" ]]; then
+        target=$targetname
+    else
+        target=$patch
+    fi
+
+    case $patch in
+        *.patch.yaml)
+            patch_type=strategic;;
+        *.jsonpatch.yaml)
+            patch_type=json;;
+        *.mergepatch.yaml)
+            patch_type=merge;;
+
+        *)  echo "ERROR: $patch: unknown patch type" >&2
+            continue
+            ;;
+    esac
+
+    echo "Applying $patch"
+    if ! kubectl patch -f "$target" --patch-file "$patch" --type "$patch_type"; then
+        echo "ERROR: $patch: failed to apply" >&2
+    fi
+done
diff --git a/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/serviceaccount.yaml b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/serviceaccount.yaml
new file mode 100644
index 00000000..012eacc4
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-prod/feature/external-ingress/post-sync-hook/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: patcher
diff --git a/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml
index 160c9481..ee8d91d4 100644
--- a/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml
+++ b/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml
@@ -9,8 +9,8 @@ resources:
 - ../../bundles/metallb
 - ../../bundles/xdmod-reader
 - feature/odf
+- feature/external-ingress
 - ../../base/core/namespaces/openshift-gitops
-- ingresscontrollers/external-apps-ingress-controller.yaml
 - externalsecrets
 - apiserver/cluster.yaml
 - secretstores