diff --git a/.env b/.env
new file mode 100644
index 0000000..d3b1026
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+ISTIO_VERSION=1.22.01
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..43cf4ce
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.txt
+*.xml
diff --git a/application.yaml b/charts/application_old.yaml
similarity index 100%
rename from application.yaml
rename to charts/application_old.yaml
diff --git a/charts/istio-base.yaml b/charts/istio-base.yaml
new file mode 100644
index 0000000..f0fe8c5
--- /dev/null
+++ b/charts/istio-base.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: istio-base
+    namespace: argocd
+    finalizers:
+        - resources-finalizer.argocd.argoproj.io
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+        namespace: istio-system
+    project: default
+    source:
+        chart: base
+        repoURL: https://istio-release.storage.googleapis.com/charts
+        targetRevision: ${ISTIO_VERSION}
+    syncPolicy:
+        automated:
+            prune: true
+            selfHeal: true
+        syncOptions:
+            - CreateNamespace=true
+    ignoreDifferences:
+        - group: admissionregistration.k8s.io
+          kind: ValidatingWebhookConfiguration
+          jsonPointers:
+              - /webhooks/0/failurePolicy
diff --git a/charts/istio-cni.yaml b/charts/istio-cni.yaml
new file mode 100644
index 0000000..a182069
--- /dev/null
+++ b/charts/istio-cni.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: istio-cni
+    namespace: argocd
+    finalizers:
+        - resources-finalizer.argocd.argoproj.io
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+        namespace: kube-system
+    project: default
+    source:
+        chart: cni
+        repoURL: https://istio-release.storage.googleapis.com/charts
+        targetRevision: ${ISTIO_VERSION}
+        helm:
+            values: |
+                profile: ambient
+    syncPolicy:
+        automated:
+            prune: true
+            selfHeal: true
diff --git a/charts/istiod.yaml b/charts/istiod.yaml
new file mode 100644
index 0000000..00c8902
--- /dev/null
+++ b/charts/istiod.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: istiod
+    namespace: argocd
+    finalizers:
+        - resources-finalizer.argocd.argoproj.io
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+        namespace: istio-system
+    project: default
+    source:
+        chart: istiod
+        repoURL: https://istio-release.storage.googleapis.com/charts
+        targetRevision: ${ISTIO_VERSION}
+        helm:
+            values: |
+                profile: ambient
+    syncPolicy:
+        automated:
+            prune: true
+            selfHeal: true
+    ignoreDifferences:
+        - group: admissionregistration.k8s.io
+          kind: ValidatingWebhookConfiguration
+          jsonPointers:
+              - /webhooks/0/failurePolicy
diff --git a/charts/ztunnel.yaml b/charts/ztunnel.yaml
new file mode 100644
index 0000000..9c947b4
--- /dev/null
+++ b/charts/ztunnel.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: istio-ztunnel
+    namespace: argocd
+    finalizers:
+        - resources-finalizer.argocd.argoproj.io
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+        namespace: istio-system
+    project: default
+    source:
+        chart: ztunnel
+        repoURL: https://istio-release.storage.googleapis.com/charts
+        targetRevision: ${ISTIO_VERSION}
+    syncPolicy:
+        automated:
+            prune: true
+            selfHeal: true
diff --git a/deployment.yaml b/deployment.yaml
index c39bc97..fd3b9ca 100644
--- a/deployment.yaml
+++ b/deployment.yaml
@@ -1,19 +1,22 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: myapp
+    name: myapp
 spec:
-  selector:
-    matchLabels:
-      app: myapp
-  replicas: 2
-  template:
-    metadata:
-      labels:
-        app: myapp
-    spec:
-      containers:
-      - name: myapp
-        image: nanajanashia/argocd-app:1.2
-        ports:
-        - containerPort: 8080
+    selector:
+        matchLabels:
+            app: myapp
+    replicas: 2
+    template:
+        metadata:
+            labels:
+                app: myapp
+        spec:
+            containers:
+                - name: myapp
+                  image: nanajanashia/argocd-app:1.2
+                  ports:
+                      - containerPort: 8080
+                  env:
+                      - name: ISTIO_VERSION
+                        value: "1.22.1"
diff --git a/run.sh b/run.sh
new file mode 100644
index 0000000..43f63a3
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,31 @@
+# see https://www.solo.io/blog/istio-ambient-argo-cd-kind-15-minutes
+
+minikube delete
+
+set -a
+source .env
+set +a
+
+minikube start --driver=docker
+kubectl create namespace argocd || true
+
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.9.5/manifests/install.yaml
+
+echo "Waiting for Argo CD server pod to be ready..."
+kubectl wait --namespace argocd --for=condition=Ready pod -l app.kubernetes.io/name=argocd-server --timeout=120s
+
+kubectl port-forward svc/argocd-server -n argocd 9999:443 &> forward.txt &
+
+echo "installing Kubernetes Gateway CRDs"
+kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
+{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | kubectl apply -f -; }
+
+echo "Applying Application manifests with ISTIO_VERSION=$ISTIO_VERSION"
+for f in charts/*.yaml; do
+    echo " -> $f"
+    envsubst < "$f" | kubectl apply -f -
+done
+
+sleep 5
+
+kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 --decode && echo