diff --git a/charts/identity-gatekeeper/Chart.yaml b/charts/identity-gatekeeper/Chart.yaml
index 0fea23f..80d6b1d 100644
--- a/charts/identity-gatekeeper/Chart.yaml
+++ b/charts/identity-gatekeeper/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.7
+version: 1.0.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/identity-gatekeeper/templates/_helpers.tpl b/charts/identity-gatekeeper/templates/_helpers.tpl
index 6c8778d..d4f2366 100644
--- a/charts/identity-gatekeeper/templates/_helpers.tpl
+++ b/charts/identity-gatekeeper/templates/_helpers.tpl
@@ -81,6 +81,13 @@ Return the target Kubernetes version
   {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
 {{- end -}}
 
+{{/*
+Internal URL for the target service
+*/}}
+{{- define "identity-gatekeeper.targetUrl" -}}
+http://{{ .Values.targetService.name }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.targetService.port.number }}
+{{- end }}
+
 {{/*
 Internal base URL for the services (minus port number)
 */}}
@@ -101,3 +108,12 @@ Internal URL for the admin service
 {{- define "identity-gatekeeper.adminServiceUrl" -}}
 {{ include "identity-gatekeeper.baseServiceUrl" . }}:{{ .Values.service.admin.port }}
 {{- end }}
+
+{{/*
+Ingress server-snippets - merged from constituent parts
+*/}}
+{{- define "identity-gatekeeper.ingressServerSnippet" -}}
+{{ .Values.ingress.serverSnippets.custom }}
+{{ .Values.ingress.serverSnippets.gatekeeper }}
+{{ .Values.ingress.serverSnippets.auth }}
+{{- end }}
diff --git a/charts/identity-gatekeeper/templates/ingress.yaml b/charts/identity-gatekeeper/templates/ingress.yaml
index 6627e05..3225c99 100644
--- a/charts/identity-gatekeeper/templates/ingress.yaml
+++ b/charts/identity-gatekeeper/templates/ingress.yaml
@@ -7,10 +7,10 @@ metadata:
   name: {{ $name }}
   labels:
     {{- include "identity-gatekeeper.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- tpl (toYaml .) $ | nindent 4 }}
-  {{- end }}
+    {{- range $k, $v := .Values.ingress.annotations }}
+      {{- dict $k (tpl (tpl $v $) $) | toYaml | nindent 4 }}
+    {{- end }}
   namespace: {{ .Release.Namespace }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" (include "identity-gatekeeper.kubeVersion" $)) }}
diff --git a/charts/identity-gatekeeper/values.yaml b/charts/identity-gatekeeper/values.yaml
index 9b3a87b..39d1ae9 100644
--- a/charts/identity-gatekeeper/values.yaml
+++ b/charts/identity-gatekeeper/values.yaml
@@ -91,7 +91,7 @@ ingress:
   className: ""
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    nginx.ingress.kubernetes.io/configuration-snippet: |
+    nginx.ingress.kubernetes.io/configuration-snippet: |-
       auth_request /auth;
       if ($request_method = OPTIONS) {
         return 200;
@@ -99,7 +99,19 @@ ingress:
       add_header Access-Control-Allow-Origin $http_origin always;
       add_header Access-Control-Allow-Methods "*";
       add_header Access-Control-Allow-Headers "Authorization, Origin, Content-Type";
-    nginx.ingress.kubernetes.io/server-snippet: |
+    nginx.ingress.kubernetes.io/server-snippet: |-
+      {{ include "identity-gatekeeper.ingressServerSnippet" . }}
+  serverSnippets:
+    # Server snippets separated into different values, to allow them to be more easily overridden,
+    # and to more easily introduce addition custom locations.
+    custom: |-
+      #----------
+      # Custom server snippets
+      #----------
+    gatekeeper: |-
+      #----------
+      # Gatekeeper-specific server snippets
+      #----------
       # Open endpoints provided by gatekeeper itself
       # - which should passthru to gatekeeper, rather than the 'target' protected service,
       # without need for any auth.
@@ -109,6 +121,10 @@ ingress:
       location ~ /oauth/(health|metrics) {
         proxy_pass {{ include "identity-gatekeeper.adminServiceUrl" . }}$request_uri;
       }
+    auth: |-
+      #----------
+      # Auth Request server snippets
+      #----------
       # Endpoint for the nginx 'auth_request' - which directs to gatekeeper
       location ^~ /auth {
         internal;
@@ -134,7 +150,8 @@ ingress:
               port:
                 number: "{{ .Values.targetService.port.number }}"
   tls:
-    - secretName: "{{ include \"identity-gatekeeper.fullname\" . }}-tls"
+    - secretName: |-
+        {{ include "identity-gatekeeper.fullname" . }}-tls
       hosts:
         - "{{ .Values.targetService.host }}"
 autoscaling: