diff --git a/api/config/v1alpha1/helpers.go b/api/config/v1alpha1/helpers.go
index 1f63672d3266..0b26d50308c4 100644
--- a/api/config/v1alpha1/helpers.go
+++ b/api/config/v1alpha1/helpers.go
@@ -107,8 +107,8 @@ func DefaultKubernetesDeploymentReplicas() *int32 {
 	return &repl
 }
 
-// DefaultKubernetesDeploymentImage returns the default envoyproxy image.
-func DefaultKubernetesDeploymentImage() *string {
+// DefaultKubernetesContainerImage returns the default envoyproxy image.
+func DefaultKubernetesContainerImage() *string {
 	return pointer.String(DefaultEnvoyProxyImage)
 }
 
@@ -118,7 +118,6 @@ func DefaultKubernetesDeployment() *KubernetesDeploymentSpec {
 		Replicas:  DefaultKubernetesDeploymentReplicas(),
 		Pod:       DefaultKubernetesPod(),
 		Container: DefaultKubernetesContainer(),
-		Image:     DefaultKubernetesDeploymentImage(),
 	}
 }
 
@@ -131,6 +130,7 @@ func DefaultKubernetesPod() *KubernetesPodSpec {
 func DefaultKubernetesContainer() *KubernetesContainerSpec {
 	return &KubernetesContainerSpec{
 		Resources: DefaultResourceRequirements(),
+		Image:     DefaultKubernetesContainerImage(),
 	}
 }
 
@@ -194,8 +194,8 @@ func (r *EnvoyProxyProvider) GetEnvoyProxyKubeProvider() *EnvoyProxyKubernetesPr
 		r.Kubernetes.EnvoyDeployment.Container.Resources = DefaultResourceRequirements()
 	}
 
-	if r.Kubernetes.EnvoyDeployment.Image == nil {
-		r.Kubernetes.EnvoyDeployment.Image = DefaultKubernetesDeploymentImage()
+	if r.Kubernetes.EnvoyDeployment.Container.Image == nil {
+		r.Kubernetes.EnvoyDeployment.Container.Image = DefaultKubernetesContainerImage()
 	}
 
 	if r.Kubernetes.EnvoyService == nil {
@@ -242,5 +242,9 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern
 		r.Kubernetes.RateLimitDeployment.Container.Resources = DefaultResourceRequirements()
 	}
 
+	if r.Kubernetes.RateLimitDeployment.Container.Image == nil {
+		r.Kubernetes.RateLimitDeployment.Container.Image = DefaultKubernetesContainerImage()
+	}
+
 	return r.Kubernetes
 }
diff --git a/api/config/v1alpha1/shared_types.go b/api/config/v1alpha1/shared_types.go
index 0a0acb1f0250..2e7b2d4bef02 100644
--- a/api/config/v1alpha1/shared_types.go
+++ b/api/config/v1alpha1/shared_types.go
@@ -57,11 +57,6 @@ type KubernetesDeploymentSpec struct {
 	// +optional
 	Container *KubernetesContainerSpec `json:"container,omitempty"`
 
-	// Image specifies the EnvoyProxy container image to be used, instead of the default image.
-	//
-	// +optional
-	Image *string `json:"image,omitempty"`
-
 	// TODO: Expose config as use cases are better understood, e.g. labels.
 }
 
@@ -94,6 +89,11 @@ type KubernetesContainerSpec struct {
 	//
 	// +optional
 	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+
+	// Image specifies the EnvoyProxy container image to be used, instead of the default image.
+	//
+	// +optional
+	Image *string `json:"image,omitempty"`
 }
 
 // ServiceType string describes ingress methods for a service
diff --git a/api/config/v1alpha1/validate_test.go b/api/config/v1alpha1/validate_test.go
index 2c6eecf3818d..aa10282af6a9 100644
--- a/api/config/v1alpha1/validate_test.go
+++ b/api/config/v1alpha1/validate_test.go
@@ -241,10 +241,10 @@ func TestEnvoyGatewayProvider(t *testing.T) {
 
 	envoyGatewayProvider := envoyGateway.GetEnvoyGatewayProvider()
 	assert.True(t, envoyGatewayProvider.Kubernetes == nil)
-	assert.True(t, reflect.DeepEqual(envoyGateway.Provider, envoyGatewayProvider))
+	assert.Equal(t, envoyGateway.Provider, envoyGatewayProvider)
 
 	envoyGatewayProvider.Kubernetes = DefaultEnvoyGatewayKubeProvider()
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment, DefaultKubernetesDeployment()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment, DefaultKubernetesDeployment())
 
 	envoyGatewayProvider.Kubernetes = &EnvoyGatewayKubernetesProvider{}
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment == nil)
@@ -265,24 +265,27 @@ func TestEnvoyGatewayProvider(t *testing.T) {
 		Container: &KubernetesContainerSpec{
 			Resources:       nil,
 			SecurityContext: nil,
+			Image:           nil,
 		},
 	}}
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Resources == nil)
 	envoyGatewayProvider.GetEnvoyGatewayKubeProvider()
 
 	assert.True(t, envoyGatewayProvider.Kubernetes != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes, envoyGatewayKubeProvider))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes, envoyGatewayKubeProvider)
 
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment, DefaultKubernetesDeployment()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment, DefaultKubernetesDeployment())
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Replicas != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment.Replicas, DefaultKubernetesDeploymentReplicas()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Replicas, DefaultKubernetesDeploymentReplicas())
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Pod != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment.Pod, DefaultKubernetesPod()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Pod, DefaultKubernetesPod())
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container, DefaultKubernetesContainer()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container, DefaultKubernetesContainer())
 	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Resources != nil)
-	assert.True(t, reflect.DeepEqual(envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Resources, DefaultResourceRequirements()))
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Resources, DefaultResourceRequirements())
+	assert.True(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Image != nil)
+	assert.Equal(t, envoyGatewayProvider.Kubernetes.RateLimitDeployment.Container.Image, DefaultKubernetesContainerImage())
 }
 
 func TestEnvoyProxyProvider(t *testing.T) {
diff --git a/api/config/v1alpha1/zz_generated.deepcopy.go b/api/config/v1alpha1/zz_generated.deepcopy.go
index 678dea9631ad..64ca7be70860 100644
--- a/api/config/v1alpha1/zz_generated.deepcopy.go
+++ b/api/config/v1alpha1/zz_generated.deepcopy.go
@@ -409,6 +409,11 @@ func (in *KubernetesContainerSpec) DeepCopyInto(out *KubernetesContainerSpec) {
 		*out = new(v1.SecurityContext)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Image != nil {
+		in, out := &in.Image, &out.Image
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesContainerSpec.
@@ -439,11 +444,6 @@ func (in *KubernetesDeploymentSpec) DeepCopyInto(out *KubernetesDeploymentSpec)
 		*out = new(KubernetesContainerSpec)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.Image != nil {
-		in, out := &in.Image, &out.Image
-		*out = new(string)
-		**out = **in
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesDeploymentSpec.
diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md
index 4f0fad1c6e55..2eedff6ab33b 100644
--- a/charts/gateway-helm/README.md
+++ b/charts/gateway-helm/README.md
@@ -1,9 +1,28 @@
-# Usage
+# gateway-helm
+
+![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+
+The Helm chart for Envoy Gateway
+
+**Homepage:** <https://gateway.envoyproxy.io/>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| envoy-gateway-steering-committee |  | <https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md> |
+| envoy-gateway-maintainers |  | <https://github.com/envoyproxy/gateway/blob/main/CODEOWNERS> |
+
+## Source Code
+
+* <https://github.com/envoyproxy/gateway>
+
+## Usage
 
 [Helm](https://helm.sh) must be installed to use the charts.  Please refer to
 Helm's [documentation](https://helm.sh/docs) to get started.
 
-## Install from DockerHub
+### Install from DockerHub
 
 Once Helm has been set up correctly, install the chart from dockerhub:
 
@@ -11,22 +30,22 @@ Once Helm has been set up correctly, install the chart from dockerhub:
   helm install eg oci://docker.io/envoyproxy/gateway-helm -n envoy-gateway-system --create-namespace
 ```
 
-## Install from Source Code
+### Install from Source Code
 
 You can also install the helm chart from the source code:
 
 To install the eg chart along with Gateway API CRDs and Envoy Gateway CRDs:
 
 ``` shell
-    helm install eg --create-namespace charts/gateway-helm -n envoy-gateway-system
+    make kube-deploy TAG=latest
 ```
 
-## Skip install CRDs
+### Skip install CRDs
 
 You can install the eg chart along without Gateway API CRDs and Envoy Gateway CRDs, make sure CRDs exist in Cluster first if you want to skip to install them, otherwise EG may fail to start:
 
 ``` shell
-    helm install eg --create-namespace charts/gateway-helm -n envoy-gateway-system --skip-crds
+    helm install eg --create-namespace oci://docker.io/envoyproxy/gateway-helm -n envoy-gateway-system --skip-crds
 ```
 
 To uninstall the chart:
@@ -34,3 +53,31 @@ To uninstall the chart:
 ``` shell
     helm delete eg
 ```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
+| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
+| deployment.envoyGateway.image.repository | string | `"docker.io/envoyproxy/gateway-dev"` |  |
+| deployment.envoyGateway.image.tag | string | `"latest"` |  |
+| deployment.envoyGateway.imagePullPolicy | string | `"Always"` |  |
+| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` |  |
+| deployment.envoyGateway.resources.limits.memory | string | `"128Mi"` |  |
+| deployment.envoyGateway.resources.requests.cpu | string | `"10m"` |  |
+| deployment.envoyGateway.resources.requests.memory | string | `"64Mi"` |  |
+| deployment.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` |  |
+| deployment.kubeRbacProxy.image.tag | string | `"v0.11.0"` |  |
+| deployment.kubeRbacProxy.resources.limits.cpu | string | `"500m"` |  |
+| deployment.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` |  |
+| deployment.kubeRbacProxy.resources.requests.cpu | string | `"5m"` |  |
+| deployment.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` |  |
+| deployment.ports[0].name | string | `"grpc"` |  |
+| deployment.ports[0].port | int | `18000` |  |
+| deployment.ports[0].targetPort | int | `18000` |  |
+| deployment.replicas | int | `1` |  |
+| envoyGatewayMetricsService.ports[0].name | string | `"https"` |  |
+| envoyGatewayMetricsService.ports[0].port | int | `8443` |  |
+| envoyGatewayMetricsService.ports[0].protocol | string | `"TCP"` |  |
+| envoyGatewayMetricsService.ports[0].targetPort | string | `"https"` |  |
diff --git a/charts/gateway-helm/crds/generated/config.gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/config.gateway.envoyproxy.io_envoyproxies.yaml
index ce7b45fcd671..62071c56d240 100644
--- a/charts/gateway-helm/crds/generated/config.gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/config.gateway.envoyproxy.io_envoyproxies.yaml
@@ -96,6 +96,10 @@ spec:
                             description: Container defines the resources and securityContext
                               of container.
                             properties:
+                              image:
+                                description: Image specifies the EnvoyProxy container
+                                  image to be used, instead of the default image.
+                                type: string
                               resources:
                                 description: 'Resources required by this container.
                                   More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
@@ -346,10 +350,6 @@ spec:
                                     type: object
                                 type: object
                             type: object
-                          image:
-                            description: Image specifies the EnvoyProxy container
-                              image to be used, instead of the default image.
-                            type: string
                           pod:
                             description: Pod defines the desired annotations and securityContext
                               of container.
diff --git a/docs/latest/api/config_types.md b/docs/latest/api/config_types.md
index e3959ea8f254..87118b7dbe47 100644
--- a/docs/latest/api/config_types.md
+++ b/docs/latest/api/config_types.md
@@ -257,6 +257,7 @@ _Appears in:_
 | --- | --- |
 | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#resourcerequirements-v1-core)_ | Resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | `securityContext` _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core)_ | SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| `image` _string_ | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
 
 
 ## KubernetesDeploymentSpec
@@ -274,7 +275,6 @@ _Appears in:_
 | `replicas` _integer_ | Replicas is the number of desired pods. Defaults to 1. |
 | `pod` _[KubernetesPodSpec](#kubernetespodspec)_ | Pod defines the desired annotations and securityContext of container. |
 | `container` _[KubernetesContainerSpec](#kubernetescontainerspec)_ | Container defines the resources and securityContext of container. |
-| `image` _string_ | Image specifies the EnvoyProxy container image to be used, instead of the default image. |
 
 
 ## KubernetesPodSpec
diff --git a/docs/latest/design/system-design.md b/docs/latest/design/system-design.md
index 731cb0925b03..86114be37fa2 100644
--- a/docs/latest/design/system-design.md
+++ b/docs/latest/design/system-design.md
@@ -39,7 +39,7 @@ defined as Kubernetes resources that provide the following services:
 * Infrastructure Management- Manage the data plane infrastructure, i.e. deploy, upgrade, etc. This configuration is
   expressed through [GatewayClass][gc] and [Gateway][gw] resources. The `EnvoyProxy` [Custom Resource][cr] can be
   referenced by `gatewayclass.spec.parametersRef` to modify data plane infrastructure default parameters,
-  e.g. expose Envoy network endpoints using a NodePort service instead of a LoadBalancer service.
+  e.g. expose Envoy network endpoints using a `ClusterIP` service instead of a `LoadBalancer` service.
 * Traffic Routing- Define how to handle application-level requests to backend services. For example, route all HTTP
   requests for "www.example.com" to a backend service running a web server. This configuration is expressed through
   [HTTPRoute][hroute] and [TLSRoute][troute] resources that match, filter, and route traffic to a [backend][be].
diff --git a/docs/latest/user/customize-envoyproxy.md b/docs/latest/user/customize-envoyproxy.md
index 4962f1caf3ec..b17ee01745cb 100644
--- a/docs/latest/user/customize-envoyproxy.md
+++ b/docs/latest/user/customize-envoyproxy.md
@@ -72,7 +72,8 @@ spec:
     type: Kubernetes
     kubernetes:
       envoyDeployment:
-        image: envoyproxy/envoy:v1.25-latest
+        container:
+          image: envoyproxy/envoy:v1.25-latest
 EOF
 ```
 
@@ -94,9 +95,10 @@ spec:
     type: Kubernetes
     kubernetes:
       envoyDeployment:
-        podAnnotations:
-          custom1: deploy-annotation1
-          custom2: deploy-annotation2
+        pod:
+          annotations:
+            custom1: deploy-annotation1
+            custom2: deploy-annotation2
 EOF
 ```
 
@@ -118,13 +120,14 @@ spec:
     type: Kubernetes
     kubernetes:
       envoyDeployment:
-        resources:
-          requests:
-            cpu: 150m
-            memory: 640Mi
-          limits:
-            cpu: 500m
-            memory: 1Gi
+        container:
+          resources:
+            requests:
+              cpu: 150m
+              memory: 640Mi
+            limits:
+              cpu: 500m
+              memory: 1Gi
 EOF
 ```
 
@@ -155,31 +158,6 @@ EOF
 
 After applying the config, you can get the envoyproxy service, and see annotations has been added.
 
-## Customize EnvoyProxy Service Annotations
-
-You can customize the EnvoyProxy Service Annotations via EnvoyProxy Config like:
-
-```shell
-cat <<EOF | kubectl apply -f -
-apiVersion: config.gateway.envoyproxy.io/v1alpha1
-kind: EnvoyProxy
-metadata:
-  name: custom-proxy-config
-  namespace: envoy-gateway-system
-spec:
-  provider:
-    type: Kubernetes
-    kubernetes:
-      envoyService:
-        annotations:
-          custom1: svc-annotation1
-          custom2: svc-annotation2
-
-EOF
-```
-
-After applying the config, you can get the envoyproxy service, and see annotations has been added.
-
 ## Customize EnvoyProxy Bootstrap Config
 
 You can customize the EnvoyProxy Bootstrap Config via EnvoyProxy Config like:
@@ -202,4 +180,4 @@ After applying the config, the bootstrap config will be overridden by the new co
 Envoy Gateway will use Webhook to validate the bootstrap config you provided.
 
 [Gateway API documentation]: https://gateway-api.sigs.k8s.io/
-[EnvoyProxy]: https://www.envoyproxy.io/
\ No newline at end of file
+[EnvoyProxy]: https://www.envoyproxy.io/
diff --git a/internal/cmd/version/version.go b/internal/cmd/version/version.go
index 05fe995e48f2..56ea4f5a928e 100644
--- a/internal/cmd/version/version.go
+++ b/internal/cmd/version/version.go
@@ -36,7 +36,7 @@ func Get() Info {
 var (
 	envoyGatewayVersion string
 	gatewayAPIVersion   string
-	envoyProxyVersion   = strings.Split(*v1alpha1.DefaultKubernetesDeploymentImage(), ":")[1]
+	envoyProxyVersion   = strings.Split(*v1alpha1.DefaultKubernetesContainerImage(), ":")[1]
 	gitCommitID         string
 )
 
diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml
index 8e23d86147d0..364c4e11b162 100644
--- a/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml
+++ b/internal/gatewayapi/testdata/envoyproxy-valid.in.yaml
@@ -12,8 +12,8 @@ envoyproxy:
           type: LoadBalancer
         envoyDeployment:
           replicas: 2
-          image: "envoyproxy/gateway:v0.4.0"
           container:
+            image: "envoyproxy/gateway:v0.4.0"
             resources:
               requests:
                 cpu: 100m
diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
index 0918f79e8ae5..cc684a1fdec3 100644
--- a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
+++ b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml
@@ -60,9 +60,9 @@ infraIR:
               envoyService:
                 type: LoadBalancer
               envoyDeployment:
-                image: "envoyproxy/gateway:v0.4.0"
                 replicas: 2
                 container:
+                  image: "envoyproxy/gateway:v0.4.0"
                   resources:
                     requests:
                       cpu: 100m
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml
deleted file mode 100644
index c73de5c42559..000000000000
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.in.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-gateways:
-  - apiVersion: gateway.networking.k8s.io/v1beta1
-    kind: Gateway
-    metadata:
-      namespace: envoy-gateway
-      name: gateway-1
-    spec:
-      gatewayClassName: envoy-gateway-class
-      listeners:
-        - name: tls
-          protocol: HTTPS
-          port: 443
-          allowedRoutes:
-            namespaces:
-              from: All
-          tls:
-            mode: Terminate
-            certificateRefs:
-              - name: tls-secret-ecdsa-1
-              - name: tls-secret-ecdsa-2
-secrets:
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      namespace: envoy-gateway
-      name: tls-secret-ecdsa-1
-    type: kubernetes.io/tls
-    data:
-      tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJHekNCd2dJSkFJL3gxc0NEL0lSa01Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRNeU9Wb1hEVEkwTURFd05USXhOVE15T1Zvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRZmxXMnR6T3M4Cm82Nk5USVRmYUhucEc2UzI3Y2hkSldzallKdWJISkFtT2tYdS8rVGxLTXhGUzl4R2tHK09BQjAyR0ZQaHhQVzcKRnFaTFJoOEp0YlZkTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEdlplU1pBZ1VWV2VpM3o0ZEhOTEd0aHpiaQoxRHZ0anRQekhYZ1R3WS92YmdJZ05KWStNcTRweFJnNit3eU04R1R4czVUV3k5Zml5RGhMUEU5QnhlbEsxSjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-      tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      namespace: envoy-gateway
-      name: tls-secret-ecdsa-2
-    type: kubernetes.io/tls
-    data:
-      tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWekNCM3dJSkFJN1BZQlRZU0NXYk1Bb0dDQ3FHU000OUJBTUNNQll4RkRBU0JnTlZCQU1NQzJadmJ5NWkKWVhJdVkyOXRNQjRYRFRJek1ERXdOVEl4TlRjek1Gb1hEVEkwTURFd05USXhOVGN6TUZvd0ZqRVVNQklHQTFVRQpBd3dMWm05dkxtSmhjaTVqYjIwd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVRqK3RQWThsV3ZyUjlyCjU0U0FhOGNuQnRJTUZnLzZJajUxR1JBWitXR1FjZW1KUlEzblBCUHJoc1Y5dGp1TXZVdkxORCtINkJ0eWduNVUKMjJNM2w3OE9aUkZsNGszZHBPd2xlZUpOUVBqbHl3MGNCdGNwVzJhWUdPUVREMndxVzdNd0NnWUlLb1pJemowRQpBd0lEWndBd1pBSXdXblBCV3NLQ3M2ZUV4RFVXN0tSL0ZoNjBVbXAzUmF4bjBjaWFKYVhGc1NPQ0NQQmZydDJjCm1zOGRneUVTczFkQ0FqQnJaaVNweWNkc0RCTXJNZGhJaHBLV0dTWG0zTGVJeFlEYmMwK3JZaHpKZDZkdmNHWHQKcjZXUkJlbzV4eW5RWXZ3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-      tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRCTFhMK3ExWFBhYnpzZGhyOXVwcWlWTTQwcTBXUVkwMTYvZlVJNFEzL1gvR2NyZHhTTUQrZEQKQk9HZHZLZFlvLzZnQndZRks0RUVBQ0toWkFOaUFBVGordFBZOGxXdnJSOXI1NFNBYThjbkJ0SU1GZy82SWo1MQpHUkFaK1dHUWNlbUpSUTNuUEJQcmhzVjl0anVNdlV2TE5EK0g2QnR5Z241VTIyTTNsNzhPWlJGbDRrM2RwT3dsCmVlSk5RUGpseXcwY0J0Y3BXMmFZR09RVEQyd3FXN009Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
-httpRoutes:
-  - apiVersion: gateway.networking.k8s.io/v1beta1
-    kind: HTTPRoute
-    metadata:
-      namespace: default
-      name: httproute-1
-    spec:
-      parentRefs:
-        - namespace: envoy-gateway
-          name: gateway-1
-      rules:
-        - matches:
-            - path:
-                value: "/"
-          backendRefs:
-            - name: service-1
-              port: 8080
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml
index 6a6de7600f13..ce0308006cc1 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-multiple-tls-configuration.out.yaml
@@ -70,7 +70,6 @@ httpRoutes:
 infraIR:
   envoy-gateway-gateway-1:
     proxy:
-      image: envoyproxy/envoy:translator-tests
       listeners: [{}]
       metadata:
         labels:
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
index ccd8ff8284ac..fdb66060d133 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml
@@ -99,7 +99,6 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
       name: envoy-gateway-gateway-1
-      image: envoyproxy/envoy:translator-tests
       listeners:
         - address: ""
           ports:
diff --git a/internal/gatewayapi/tls.go b/internal/gatewayapi/tls.go
index 4cebb8a03611..3cfa9058df3c 100644
--- a/internal/gatewayapi/tls.go
+++ b/internal/gatewayapi/tls.go
@@ -14,29 +14,25 @@ import (
 )
 
 // validateTLSSecretData ensures the cert and key provided in a secret
-// is not malformed and can be properly parsed. It also returns the public key
-// encryption algorithm used to encrypt secret information.
-func validateTLSSecretData(secret *corev1.Secret) (string, error) {
-	var publicKeyAlgorithm string
+// is not malformed and can be properly parsed
+func validateTLSSecretData(secret *corev1.Secret) error {
 	certData := secret.Data[corev1.TLSCertKey]
 
 	certBlock, _ := pem.Decode(certData)
 	if certBlock == nil {
-		return publicKeyAlgorithm, fmt.Errorf("unable to decode pem data in %s", corev1.TLSCertKey)
+		return fmt.Errorf("unable to decode pem data in %s", corev1.TLSCertKey)
 	}
 
-	certificate, err := x509.ParseCertificate(certBlock.Bytes)
+	_, err := x509.ParseCertificate(certBlock.Bytes)
 	if err != nil {
-		return publicKeyAlgorithm, fmt.Errorf("unable to parse certificate in %s: %w", corev1.TLSCertKey, err)
+		return fmt.Errorf("unable to parse certificate in %s: %w", corev1.TLSCertKey, err)
 	}
 
-	publicKeyAlgorithm = certificate.PublicKeyAlgorithm.String()
-
 	keyData := secret.Data[corev1.TLSPrivateKeyKey]
 
 	keyBlock, _ := pem.Decode(keyData)
 	if keyBlock == nil {
-		return publicKeyAlgorithm, fmt.Errorf("unable to decode pem data in %s", corev1.TLSPrivateKeyKey)
+		return fmt.Errorf("unable to decode pem data in %s", corev1.TLSPrivateKeyKey)
 	}
 
 	var parseErr error
@@ -58,8 +54,8 @@ func validateTLSSecretData(secret *corev1.Secret) (string, error) {
 			parseErr = fmt.Errorf("unable to parse EC formatted private key in %s", corev1.TLSPrivateKeyKey)
 		}
 	default:
-		return publicKeyAlgorithm, fmt.Errorf("%s key format found in %s, supported formats are PKCS1, PKCS8 or EC", keyBlock.Type, corev1.TLSPrivateKeyKey)
+		return fmt.Errorf("%s key format found in %s, supported formats are PKCS1, PKCS8 or EC", keyBlock.Type, corev1.TLSPrivateKeyKey)
 	}
 
-	return publicKeyAlgorithm, parseErr
+	return parseErr
 }
diff --git a/internal/gatewayapi/tls_test.go b/internal/gatewayapi/tls_test.go
index 4faa411f23f2..2fa7df093ae4 100644
--- a/internal/gatewayapi/tls_test.go
+++ b/internal/gatewayapi/tls_test.go
@@ -140,7 +140,7 @@ func TestValidateTLSSecretData(t *testing.T) {
 			secret := createTestSecret(t, tc.CertFile, tc.KeyFile)
 			require.NotNil(t, secret)
 
-			_, err := validateTLSSecretData(secret)
+			err := validateTLSSecretData(secret)
 			if tc.ExpectedErr == nil {
 				require.NoError(t, err)
 			} else {
diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go
index 2b369b36a450..4d9065cb1856 100644
--- a/internal/gatewayapi/validate.go
+++ b/internal/gatewayapi/validate.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"net/netip"
 
-	"golang.org/x/exp/maps"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -251,7 +250,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc
 			break
 		}
 
-		pkaSecretSet := make(map[string]*v1.Secret)
+		secrets := make([]*v1.Secret, 0)
 		for _, certificateRef := range listener.TLS.CertificateRefs {
 			if certificateRef.Group != nil && string(*certificateRef.Group) != "" {
 				listener.SetCondition(
@@ -334,7 +333,7 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc
 				break
 			}
 
-			pka, err := validateTLSSecretData(secret)
+			err := validateTLSSecretData(secret)
 			if err != nil {
 				listener.SetCondition(
 					v1beta1.ListenerConditionResolvedRefs,
@@ -344,22 +343,10 @@ func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resourc
 				)
 				break
 			}
-
-			// Check whether the public key algorithm in the referenced secrets are unique.
-			if duplicatePKAVal, ok := pkaSecretSet[pka]; ok {
-				listener.SetCondition(
-					v1beta1.ListenerConditionProgrammed,
-					metav1.ConditionFalse,
-					v1beta1.ListenerReasonInvalid,
-					fmt.Sprintf("Secret %s/%s public key algorithm must be unique. Algorithm [%s] conflicts with secret %s/%s",
-						secret.Namespace, secret.Name, pka, duplicatePKAVal.Namespace, duplicatePKAVal.Name),
-				)
-				break
-			}
-			pkaSecretSet[pka] = secret
+			secrets = append(secrets, secret)
 		}
 
-		listener.SetTLSSecrets(maps.Values(pkaSecretSet))
+		listener.SetTLSSecrets(secrets)
 
 	case v1beta1.TLSProtocolType:
 		if listener.TLS == nil {
diff --git a/internal/infrastructure/kubernetes/proxy_deployment.go b/internal/infrastructure/kubernetes/proxy_deployment.go
index fe1f01576414..97aa98f7d4fa 100644
--- a/internal/infrastructure/kubernetes/proxy_deployment.go
+++ b/internal/infrastructure/kubernetes/proxy_deployment.go
@@ -172,7 +172,7 @@ func expectedProxyContainers(infra *ir.Infra, deploymentConfig *egcfgv1a1.Kubern
 	containers := []corev1.Container{
 		{
 			Name:            envoyContainerName,
-			Image:           *deploymentConfig.Image,
+			Image:           *deploymentConfig.Container.Image,
 			ImagePullPolicy: corev1.PullIfNotPresent,
 			Command: []string{
 				"envoy",
diff --git a/internal/infrastructure/kubernetes/proxy_deployment_test.go b/internal/infrastructure/kubernetes/proxy_deployment_test.go
index 50af96a2b624..4a50ac543cc2 100644
--- a/internal/infrastructure/kubernetes/proxy_deployment_test.go
+++ b/internal/infrastructure/kubernetes/proxy_deployment_test.go
@@ -309,7 +309,9 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) {
 								Type: egcfgv1a1.ProviderTypeKubernetes,
 								Kubernetes: &egcfgv1a1.EnvoyProxyKubernetesProvider{
 									EnvoyDeployment: &egcfgv1a1.KubernetesDeploymentSpec{
-										Image: pointer.String("envoyproxy/envoy-dev:v1.2.3"),
+										Container: &egcfgv1a1.KubernetesContainerSpec{
+											Image: pointer.String("envoyproxy/envoy-dev:v1.2.3"),
+										},
 									},
 								},
 							},