diff --git a/chart/drupalsite-operator/templates/manager-deploy.yaml b/chart/drupalsite-operator/templates/manager-deploy.yaml
index 887b93968ef43a8ae52bcb9efe72e3f3bc60aff1..a514f9ea133090b71c1a4676c39930b083c45971 100644
--- a/chart/drupalsite-operator/templates/manager-deploy.yaml
+++ b/chart/drupalsite-operator/templates/manager-deploy.yaml
@@ -35,6 +35,7 @@ spec:
         - --easystart-backup-name={{.Values.drupalsiteOperator.easystartBackupName}}
         - --supported-drupal-version-name={{.Values.drupalsiteOperator.supportedDrupalVersionName}}
         - --velero-backup-storage-location={{.Values.drupalsiteOperator.veleroBackupStorageLocation}}
+        - --wildcardDelegatedDomainsRegex={{.Values.drupalsiteOperator.wildcardDelegatedDomainsRegex}}
         command:
         - /manager
         image: {{ .Values.image | quote }}
diff --git a/chart/drupalsite-operator/values.yaml b/chart/drupalsite-operator/values.yaml
index b7450610015179eac5eefeb2918f842c3c08dced..92873407099f6f9f7bd36ade566a2217e08e04bb 100644
--- a/chart/drupalsite-operator/values.yaml
+++ b/chart/drupalsite-operator/values.yaml
@@ -33,3 +33,5 @@ drupalsiteOperator:
   clusterName: {}
   easystartBackupName: ""
   veleroBackupStorageLocation: "default"
+  # By default we set everything, because then there's no certificate applies
+  wildcardDelegatedDomainsRegex: ".*.web.cern.ch$|.*cern$|.*.webtest.cern.ch"
diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index 83e817451bf4cfdd8bb1e4a1572be37f32ac04d9..72464db4fe06f914592708786a9643b3c068bfc8 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -84,6 +84,8 @@ var (
 	SupportedDrupalVersionName string
 	// VeleroBackupStorageLocation refers to the name of the Velero backupStorageLocation to be used
 	VeleroBackupStorageLocation string
+	// WildcardDelegatedDomainsRegex refers to the pattern of subdomains that are covered by CERN's wildcard certificate (*.web.cern.ch etc.)
+	WildcardDelegatedDomainsRegex string
 )
 
 // DrupalSiteReconciler reconciles a DrupalSite object
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 77ad859791c63be77f4b87feaff82a44a1f9fc28..64e116bce1a0de17c2d69c24324e6a4c348dee8c 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -24,6 +24,7 @@ import (
 	"io/ioutil"
 	"math/rand"
 	"net/url"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -215,6 +216,26 @@ ensureResourceX ensure the requested resource is created, with the following val
   - backup_schedule: Velero Schedule for scheduled backups of the drupalSite
   - tekton_extra_perm_rbac: ClusterRoleBinding for tekton tasks
   - gitlab_trigger_secret: Secret for Gitlab trigger config in buildconfig
+  - pvc_drupal: PersistentVolume for the drupalsite
+  - site_install_job: Kubernetes Job for the drush ensure-site-install
+  - clone_job: Kubernetes Job for cloning a drupal site
+  - easystart_taskrun: Taskrun for restoring easystart backup
+  - is_base: ImageStream for sitebuilder-base
+  - is_s2i: ImageStream for S2I sitebuilder
+  - bc_s2i: BuildConfig for S2I sitebuilder
+  - deploy_drupal: <moved to `ensureDrupalDeployment`>
+  - svc_nginx: Service for Nginx
+  - cm_php: ConfigMap for PHP-FPM
+  - cm_nginx_global: ConfigMap for Nginx global settings (performance)
+  - cm_settings: ConfigMap for `settings.php`
+  - cm_php_cli: ConfigMap for 'config.ini' for PHP CLI
+  - route: Route for the drupalsite
+  - oidc_return_uri: Redirection URI for OIDC
+  - dbod_cr: DBOD custom resource to establish database & respective connection for the drupalsite
+  - webdav_secret: Secret with credential for WebDAV
+  - backup_schedule: Velero Schedule for scheduled backups of the drupalSite
+  - tekton_extra_perm_rbac: ClusterRoleBinding for tekton tasks
+  - gitlab_trigger_secret: Secret for Gitlab trigger config in buildconfig
 */
 func (r *DrupalSiteReconciler) ensureResourceX(ctx context.Context, d *webservicesv1a1.DrupalSite, resType string, log logr.Logger) (transientErr reconcileError) {
 	switch resType {
@@ -1484,13 +1505,34 @@ func serviceForDrupalSite(currentobject *corev1.Service, d *webservicesv1a1.Drup
 	return nil
 }
 
-// routeForDrupalSite returns a route object
+// routeForDrupalSite updates a route object with expected values
 func routeForDrupalSite(currentobject *routev1.Route, d *webservicesv1a1.DrupalSite, Url string) error {
 	addOwnerRefToObject(currentobject, asOwner(d))
-	currentobject.Spec.TLS = &routev1.TLSConfig{
-		InsecureEdgeTerminationPolicy: "Redirect",
-		Termination:                   "edge",
+	if currentobject.Annotations == nil {
+		currentobject.Annotations = map[string]string{}
+	}
+	if currentobject.Labels == nil {
+		currentobject.Labels = map[string]string{}
 	}
+	if currentobject.Spec.TLS == nil {
+		currentobject.Spec.TLS = &routev1.TLSConfig{}
+	}
+	if currentobject.Spec.Port == nil {
+		currentobject.Spec.Port = &routev1.RoutePort{}
+	}
+	// If the route we are trying to create is not covered by the wildcard certificate
+	// we add an annotation so the Openshift-acme creates one certificate for us,
+	// As of May 2023 this is the expected pattern:
+	// https://gitlab.cern.ch/paas-tools/okd4-install/-/blob/master/chart/templates/_shared_subdomains_regex.tpl
+	// more info on the Openshift-acme: https://gitlab.cern.ch/paas-tools/okd4-deployment/openshift-acme
+	// MR with change: https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/merge_requests/188
+	matchesSupportedDomains, _ := regexp.MatchString(WildcardDelegatedDomainsRegex, Url)
+	if !matchesSupportedDomains {
+		currentobject.Annotations["kubernetes.io/tls-acme"] = "true"
+	}
+	currentobject.Spec.TLS.InsecureEdgeTerminationPolicy = "Redirect"
+	currentobject.Spec.TLS.Termination = "edge"
+	currentobject.Spec.Port.TargetPort = intstr.FromInt(8080)
 	currentobject.Spec.To = routev1.RouteTargetReference{
 		Kind:   "Service",
 		Name:   d.Name,
diff --git a/main.go b/main.go
index 651a25f9e41b03163807b42dc773c511ded9adab..60dc3900aa89b64f27f21ccd587fb96b221bb8f1 100644
--- a/main.go
+++ b/main.go
@@ -95,7 +95,7 @@ func main() {
 	// The variable name is set here: https://gitlab.cern.ch/drupal/paas/cern-drupal-distribution/-/blob/master/supporteddrupalversions/chart/templates/supported-drupal-versions.yaml
 	flag.StringVar(&controllers.SupportedDrupalVersionName, "supported-drupal-version-name", "supported-drupal-versions", "The name of the resource used cluster-wide for supported drupal versions")
 	flag.StringVar(&controllers.VeleroBackupStorageLocation, "velero-backup-storage-location", "default", "The name of the backupStorageLocation to be used for Velero Schedules created by the controller")
-	flag.StringVar(&websiteImagePullPolicyString, "websiteImagePullPolicy", "IfNotPresent", "The default image pull policy for deployed pods. We avoid 'Always' as it makes us more vulnerable to container registry downtime.")
+	flag.StringVar(&controllers.WildcardDelegatedDomainsRegex, "wildcardDelegatedDomainsRegex", "", "Regex pattern for domains covered by wildcard certificate")
 	opts := zap.Options{
 		Development: false,
 	}