diff --git a/doc/install/install-kubernetes.md b/doc/install/install-kubernetes.md
index bc971eb06..345e87753 100644
--- a/doc/install/install-kubernetes.md
+++ b/doc/install/install-kubernetes.md
@@ -42,9 +42,9 @@ curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releas
     There are several ways to install Istio (via `istioctl`, Helm chart or Operator) - this is just an example for starting from a bare Kubernetes cluster.
 
 ```bash
-curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.21.4 sh -
-./istio-1.21.4/bin/istioctl install --set profile=minimal
-./istio-1.21.4/bin/istioctl operator init
+curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.5 sh -
+./istio-1.22.5/bin/istioctl install --set profile=minimal
+./istio-1.22.5/bin/istioctl operator init
 kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/config/dependencies/istio/istio-operator.yaml
 ```
 
@@ -109,7 +109,9 @@ Kuadrant is now ready to use.
 
 ### (Optional) `DNSPolicy` setup
 
-If you plan to use `DNSPolicy`, you will need an AWS Account with access to Route 53 (more providers coming soon), and a hosted zone.
+If you plan to use `DNSPolicy`, this doc uses an AWS Account with access to Route 53. There are other providers that you can also use for DNS integration: 
+
+[DNS Providers](https://docs.kuadrant.io/latest/dns-operator/docs/provider/)
 
 Export the following environment variables for setup:
 
@@ -140,7 +142,11 @@ Follow these steps to create the necessary secret:
     ```bash
     # Replace this with an accessible Redis cluster URL
     export REDIS_URL=redis://user:xxxxxx@some-redis.com:6379
-
+    
+    ```    
+3. Create the secret:
+    
+    ```bash
     kubectl -n kuadrant-system create secret generic redis-config \
       --from-literal=URL=$REDIS_URL
     ```
@@ -148,24 +154,25 @@ Follow these steps to create the necessary secret:
 This will create a secret named `redis-config` in the `kuadrant-system` namespace containing your Redis cluster URL, which Kuadrant will use for multi-cluster rate limiting.
 
 
-You'll also need to update your earlier created `Kuadrant` instance to reconfigure Kuadrant to use Redis:
+You'll also need to update the `Limitador` instance (the component that handles rate limiting) to reconfigure Kuadrant to use Redis:
 
 ```bash
-kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta1
-kind: Kuadrant
-metadata:
-  name: kuadrant
-  namespace: kuadrant-system
+kubectl patch limitador limitador --type=merge -n kuadrant-system -p '
 spec:
-  limitador:
-    storage:
-      redis-cached:
-        configSecretRef:
-          name: redis-config
-EOF
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-config
+'
+
+kubectl wait limitador/limitador -n kuadrant-system --for="condition=Ready=true"
+
 ```
 
+### Metal LB (local setup)
+
+If you are using a local kind cluster, we recommend using [metallb](https://metallb.universe.tf/) to allow the service type loadbalancer to be used with your gateways and an IP to be assigned to your gateway address rather than an internal service name.
+
 ## Next Steps
 
 - [Secure, protect, and connect APIs with Kuadrant on Kubernetes](../user-guides/secure-protect-connect.md)
diff --git a/doc/install/install-openshift.md b/doc/install/install-openshift.md
index 7117f0462..96aa8bcb5 100644
--- a/doc/install/install-openshift.md
+++ b/doc/install/install-openshift.md
@@ -4,16 +4,26 @@
 
     You must perform these steps on each OpenShift cluster that you want to use Kuadrant on.
 
+    In this document we use AWS route 53 as the example setup.
+
+!!! warning
+    
+    Kuadrant uses a number of labels to search and filter resources on the cluster.
+    All required labels are formatted as `kuadrant.io/*`.
+    Removal of any labels with the prefix may cause unexpected behaviour and degradation of the product.
+
 ## Prerequisites
 
-- OpenShift Container Platform 4.14.x or later with community Operator catalog available.
-- AWS account with Route 53 and zone.
+- OpenShift Container Platform 4.16.x or later with community Operator catalog available.
+- AWS/Azure or GCP with DNS capabilities.
 - Accessible Redis instance.
 
 ## Procedure
 
 ### Step 1 - Set up your environment
 
+We use env vars for convenience only here. If you know these values you can setup the required yaml files in anyway that suites your needs.
+
 ```bash
 export AWS_ACCESS_KEY_ID=xxxxxxx # Key ID from AWS with Route 53 access
 export AWS_SECRET_ACCESS_KEY=xxxxxxx # Access key from AWS with Route 53 access
@@ -30,9 +40,9 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa
 
 ### Step 3 - Install cert-manager
 
-Before you can use Kuadrant, you must install cert-manager.
+Before you can use Kuadrant, you must install cert-manager. Cert-Manager is used by kuadrant to manage TLS certificates for your gateways.
 
-> The minimum supported version of cert-manager is v1.12.1.
+> The minimum supported version of cert-manager is v1.14.0.
 
 Install one of the different flavours of the Cert-Manager.
 
@@ -48,6 +58,9 @@ More installation options at [cert-manager.io](https://cert-manager.io/docs/inst
 You can install the [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html)
 by using the web console.
 
+>**Note:** Before using Kuadrant's `TLSPolicy` you will need to setup a certificate issuer refer to the [cert-manager docs for more details](https://cert-manager.io/docs/configuration/acme/dns01/route53/#creating-an-issuer-or-clusterissuer)
+
+
 ### Step 4 - (Optional) Install and configure Istio with the Sail Operator
 
 !!! note
@@ -136,7 +149,7 @@ kubectl wait istio/default -n gateway-system --for="condition=Ready=true"
 helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system --create-namespace
 ```
 
-Enable *EnvoyPatchPolicy* feature:
+Enable _EnvoyPatchPolicy_ feature:
 
 ```bash
 TMP=$(mktemp -d)
@@ -183,7 +196,7 @@ If you have Grafana installed in your cluster, you can import the [example dashb
 For example installation details, see [installing Grafana on OpenShift](https://cloud.redhat.com/experts/o11y/ocp-grafana/). When installed, you must add your Thanos instance as a data source to Grafana. Alternatively, if you are using only the user workload monitoring stack in your OpenShift cluster, and not writing metrics to an external Thanos instance, you can [set up a data source to the thanos-querier route in the OpenShift cluster](https://docs.openshift.com/container-platform/4.15/observability/monitoring/accessing-third-party-monitoring-apis.html#accessing-metrics-from-outside-cluster_accessing-monitoring-apis-by-using-the-cli).
 
 
-### Step 7 - Create secrets for your credentials
+### Step 7 - Setup the catalogsource
 
 Before installing the Kuadrant Operator, you must enter the following commands to set up secrets that you will use later:
 
@@ -202,7 +215,7 @@ metadata:
   namespace: kuadrant-system
 spec:
   sourceType: grpc
-  image: quay.io/kuadrant/kuadrant-operator-catalog:v0.7.1
+  image: quay.io/kuadrant/kuadrant-operator-catalog:v0.11.0
   displayName: Kuadrant Operators
   publisher: grpc
   updateStrategy:
@@ -211,40 +224,6 @@ spec:
 EOF
 ```
 
-#### AWS Route 53 credentials for TLS
-
-Set the AWS Route 53 credentials for TLS verification as follows:
-
-```bash
-kubectl -n kuadrant-system create secret generic aws-credentials \
-  --type=kuadrant.io/aws \
-  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-```
-
-#### Redis credentials for rate limiting counters
-
-Set the Redis credentials for shared multicluster counters for the Kuadrant Limitador component as follows:
-
-```bash
-kubectl -n kuadrant-system create secret generic redis-config \
-  --from-literal=URL=$REDIS_URL
-```
-
-#### AWS Route 53 credentials for DNS
-
-Set the AWS Route 53 credentials for managing DNS records as follows:
-
-```bash
-kubectl create ns ingress-gateway
-```
-
-```bash
-kubectl -n ingress-gateway create secret generic aws-credentials \
-  --type=kuadrant.io/aws \
-  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-```
 
 ### Step 8 - Install the Kuadrant Operator
 
@@ -258,7 +237,7 @@ metadata:
   name: kuadrant-operator
   namespace: kuadrant-system
 spec:
-  channel: preview
+  channel: stable
   installPlanApproval: Automatic
   name: kuadrant-operator
   source: kuadrant-operator-catalog
@@ -282,9 +261,27 @@ kubectl get installplan -n kuadrant-system -o=jsonpath='{.items[0].status.phase}
 
 After some time, this command should return `complete`.
 
-### Step 9 - Configure Kuadrant
 
-To configure your Kuadrant deployment, enter the following command:
+#### Set up a DNSProvider
+
+The example here is for AWS Route 53. It is important the secret for the DNSProvider is setup in the same namespace as the gateway.
+
+```bash
+kubectl create ns ingress-gateway
+```
+
+```bash
+kubectl -n ingress-gateway create secret generic aws-credentials \
+  --type=kuadrant.io/aws \
+  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+```
+
+For more details on other providers take a look at [DNS Providers](https://docs.kuadrant.io/latest/dns-operator/docs/provider/)
+
+### Step 9 - Install Kuadrant Components
+
+To trigger your Kuadrant deployment, enter the following command:
 
 ```bash
 kubectl apply -f - <<EOF
@@ -293,12 +290,6 @@ kind: Kuadrant
 metadata:
   name: kuadrant
   namespace: kuadrant-system
-spec:
-  limitador:
-    storage:
-      redis-cached:
-        configSecretRef:
-          name: redis-config
 EOF
 ```
 
@@ -308,7 +299,71 @@ Wait for Kuadrant to be ready as follows:
 kubectl wait kuadrant/kuadrant --for="condition=Ready=true" -n kuadrant-system --timeout=300s
 ```
 
+This will setup and configure a number of Kuadrant subcomponents. Some of these can also take additional configuration:
+
+- Authorino (Enforcement Component for AuthPolicy)
+  - Learn More: (Authorino CRD)[https://docs.kuadrant.io/latest/authorino-operator/#the-authorino-custom-resource-definition-crd]
+- Limitador (Enforcement Component for RateLimitPolicy)
+  - Learn More:(Limitador CRD)[https://docs.kuadrant.io/latest/limitador-operator/#features]
+- DNS Operator (Enforcement Component for DNSPOlicy)
+
+
+
+### Configuring Redis Storage for Limitador
+
+#### Redis credentials for storage of rate limiting counters
+
+In this installation we will show how to configure ratelimiting counters to be stored in redis. Before we go further we need to setup a redis secret to use later:
+
+```bash
+kubectl -n kuadrant-system create secret generic redis-config --from-literal="URL"=$REDIS_URL
+```
+
+#### Update limitador config
+
+To configure redis storage for Limatador, we must update the Limitador custom resource to use the secret we created:
+
+You can run a command like the one below to add this configuration:
+
+```
+kubectl patch limitador limitador --type=merge -n kuadrant-system -p '
+spec:
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-config
+'
+```
+
+Check that limitador is back to ready:
+
+```
+kubectl wait limitador/limitador -n kuadrant-system --for="condition=Ready=true"
+
+```
+
 Kuadrant is now ready to use.
 
+
+### Step 10 - Configure the Kuadrant Console Plugin
+
+When running on OpenShift, the Kuadrant Operator will automatically install and configure the Kuadrant dynamic console plugin.
+
+#### Enable the Console Plugin
+
+To enable the Kuadrant console plugin:
+
+1. Log in to OpenShift or OKD as an administrator.
+2. Switch to the **Admin** perspective.
+3. Navigate to **Home** > **Overview**.
+4. In the **Dynamic Plugins** section of the status box, click **View all**.
+5. In the **Console plugins** area, find the `kuadrant-console` plugin. It should be listed but disabled.
+6. Click the **Disabled** button next to the `kuadrant-console` plugin.
+7. Select the **Enabled** radio button, and then click **Save**.
+8. Wait for the plugin status to change to **Loaded**.
+
+Once the plugin is loaded, refresh the console. You should see a new **Kuadrant** section in the navigation sidebar.
+
 ## Next steps
-- [Secure, protect, and connect APIs with Kuadrant on OpenShift](../user-guides/secure-protect-connect-single-multi-cluster.md)
+
+- [Secure, protect, and connect APIs with Kuadrant on OpenShift](../user-guides/secure-protect-connect-single-multi-cluster.md)
\ No newline at end of file
diff --git a/doc/user-guides/secure-protect-connect.md b/doc/user-guides/secure-protect-connect.md
index a96b0e280..d2d650d72 100644
--- a/doc/user-guides/secure-protect-connect.md
+++ b/doc/user-guides/secure-protect-connect.md
@@ -4,6 +4,15 @@
 
 - You have completed the [Single-cluster Quick Start](https://docs.kuadrant.io/latest/getting-started-single-cluster/) or [Multi-cluster Quick Start](https://docs.kuadrant.io/latest/getting-started-multi-cluster/).
 
+
+### Local Cluster (metallb)
+
+>**Note:** If you are running on a local kind cluster, it is also recommended you use [metallb](https://metallb.universe.tf/) to setup an IP address pool to use with loadbalancer services for your gateways. An example script for configuring metallb based on the docker network once installed can be found [here](https://github.com/Kuadrant/kuadrant-operator/blob/main/utils/docker-network-ipaddresspool.sh).
+
+```
+./utils/docker-network-ipaddresspool.sh kind yq 1 | kubectl apply -n metallb-system -f -
+```
+
 ## Overview
 
 In this guide, we will cover the different policies from Kuadrant and how you can use them to secure, protect and connect an Istio-controlled gateway in a single cluster, and how you can set more refined protection on the HTTPRoutes exposed by that gateway.
@@ -115,7 +124,7 @@ spec:
 EOF
 ```
 
-> **Note:** You may have to create a cluster issuer in the Kubernetes cluster, depending on if one was created during your initial cluster setup or not. Here is an example of how to create a self-signed CA as a cluster issuer.
+> **Note:** You may have to create a cluster issuer in the Kubernetes cluster, depending on if one was created during your initial cluster setup or not. Here is an example of how to create a self-signed CA as a cluster issuer. This is a self signed issuer for simplicity, but you can use other issuers such as [letsencrypt](https://letsencrypt.org/). Refer to the [cert-manager docs](https://cert-manager.io/docs/configuration/acme/dns01/route53/#iam-user-with-long-term-access-key)
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
@@ -282,7 +291,9 @@ kubectl -n kuadrant-system create secret generic aws-credentials \
   --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
 ```
 
-Next, create the DNSPolicy:
+Next, create the DNSPolicy. There are two options here. 
+
+1. **Single gateway with no shared hostnames:**
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
@@ -299,19 +310,56 @@ spec:
   providerRefs:
   - name: aws-credentials
 EOF
+```
+2. **multiple gateways with shared hostnames:**
+
+If you want to use a gateway with a shared listener host (IE the same hostname on more than one gateway instance). Then you should use the following configuration:
+
+> **Note:** This configuration will work fine for a single gateway also, but does create some additional records.
+
+```sh
+kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
+apiVersion: kuadrant.io/v1alpha1
+kind: DNSPolicy
+metadata:
+  name: simple-dnspolicy
+  namespace: kuadrant-system
+spec:
+  targetRef:
+    name: api-gateway
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  providerRefs:
+    - name: aws-credentials
+  loadBalancing:
+    weight: 120
+    geo: EU
+    defaultGeo: true
+EOF
+```    
+
+The loadbalancing section here has the following attributes:
+
+- **Weight:** This will be the weighting used for records created for hosts defined by this gateway. It will decide how often the records for this gateway are returned. If you have 2 gateways and each DNSPolicy specifies the same weight, then you will get an even distribution. If you define one weight as larger than the other, the gateway with the larger weight will receive more traffic (record weight / sum of all records).
+- **geo:** This will be the geo used to decide whether to return records defined for this gateway based on the requesting client's location. This should be set even if you have one gateway in a single geo. 
+- **defaultGeo:** For Azure and AWS, this will decide, if there should be a default geo. A default geo acts as a "catch-all" (GCP always sets a catch-all) for clients outside of the defined geo locations. There can only be one default value and so it is important you set `defaultGeo` as true for **one** and **only one** geo code for each of the gateways in that geo. 
 
+Wait for the DNSPolicy to marked as enforced:
+
+```
 kubectl --context $KUBECTL_CONTEXT wait dnspolicy simple-dnspolicy -n kuadrant-system --for=condition=enforced
 ```
 
-If you want to see the DNSRecord created by the this policy, execute the following command:
+If you want to see the actual DNSRecord created by the this policy, execute the following command:
+
+> **Note:** This resource is managed by kuadrant and so shouldn't be changed directly.
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT get dnsrecord.kuadrant.io api-gateway-api -n kuadrant-system -o=yaml
 ```
 
-So now we have a wildcard DNS record to bring traffic to our gateway.
 
-Let's test it again. This time we expect a `403` still as the _deny-all_ policy is still in effect. Notice we no longer need to set the Host header directly.
+With DNS in place, let's test it again. This time we expect a `403` still as the _deny-all_ policy is still in effect. Notice we no longer need to set the Host header directly.
 
 > **Note:** If you have followed through this guide on more than 1 cluster, the DNS record for the HTTPRoute hostname will have multiple IP addresses. This means that requests will be made in a round robin pattern across clusters as your DNS provider sends different responses to lookups. You may need to send multiple requests before one hits the cluster you are currently configuring.