diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index cf282cb23f..a04e74a14e 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -275,6 +275,12 @@ os_wildcard_crt_file: wildcard-2021.app.os.fedoraproject.org.cert
 os_wildcard_key_file: wildcard-2021.app.os.fedoraproject.org.key
 os_wildcard_int_file: wildcard-2021.app.os.fedoraproject.org.intermediate.cert
 
+# This is the openshift wildcard cert for ocp
+ocp_wildcard_cert_name: wildcard-2021.apps.ocp.fedoraproject.org
+ocp_wildcard_cert_file: wildcard-2021.apps.ocp.fedoraproject.org.cert
+ocp_wildcard_key_file: wildcard-2021.apps.ocp.fedoraproject.org.key
+ocp_wildcard_int_file: wildcard-2021.apps.ocp.fedoraproject.org.intermediate.cert
+
 # Everywhere, always, we should sign messages and validate signatures.
 # However, we allow individual hosts and groups to override this.  Use this very
 # carefully.. and never in production (good for testing stuff in staging).
diff --git a/inventory/group_vars/ocp b/inventory/group_vars/ocp
new file mode 100644
index 0000000000..36f36c2ce7
--- /dev/null
+++ b/inventory/group_vars/ocp
@@ -0,0 +1,8 @@
+---
+rhcos_version: 4.8.2
+ocp4: true
+vpn: false
+nagios_Check_Services:
+  swap: false
+  nrpe: false
+  mail: false
diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 76e4c18b22..3e777b580c 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -124,3 +124,14 @@ openshift_nodes:
 - os-node01.vpn.fedoraproject.org
 - os-node02.vpn.fedoraproject.org
 - os-node03.vpn.fedoraproject.org
+
+ocp_masters:
+- bootstrap.ocp.iad2.fedoraproject.org
+- ocp01.ocp.iad2.fedoraproject.org
+- ocp02.ocp.iad2.fedoraproject.org
+- ocp03.ocp.iad2.fedoraproject.org
+
+ocp_nodes:
+- worker01.ocp.iad2.fedoraproject.org
+- worker02.ocp.iad2.fedoraproject.org
+- worker03.ocp.iad2.fedoraproject.org
diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg
index d427082b33..341ad52143 100644
--- a/inventory/group_vars/proxies_stg
+++ b/inventory/group_vars/proxies_stg
@@ -121,13 +121,13 @@ openshift_nodes:
 - os-node03.stg.iad2.fedoraproject.org
 - os-node04.stg.iad2.fedoraproject.org
 
-ocp_masters:
+ocp_masters_stg:
 # - bootstrap.ocp.stg.iad2.fedoraproject.org
 - ocp01.ocp.stg.iad2.fedoraproject.org
 - ocp02.ocp.stg.iad2.fedoraproject.org
 - ocp03.ocp.stg.iad2.fedoraproject.org
 
-ocp_nodes:
+ocp_nodes_stg:
 - worker01.ocp.stg.iad2.fedoraproject.org
 - worker02.ocp.stg.iad2.fedoraproject.org
 - worker03.ocp.stg.iad2.fedoraproject.org
diff --git a/inventory/host_vars/bootstrap.ocp.iad2.fedoraproject.org b/inventory/host_vars/bootstrap.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..74514d4bda
--- /dev/null
+++ b/inventory/host_vars/bootstrap.ocp.iad2.fedoraproject.org
@@ -0,0 +1,60 @@
+---
+freezes: false
+
+datacenter: iad2
+
+vmhost: vmhost-x86-04.iad2.fedoraproject.org,
+volgroup: /dev/vg_guests
+lvm_size: 120g
+mem_size: 16384
+max_mem_size: 16384
+num_cpus: 4
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.126
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+mac0: "{{ ansible_default_ipv4.macaddress }}"
+
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/bootstrap.ign"
+rhcos_install_img_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+
+virt_install_command: "{{ virt_install_command_pxe_rhcos }}"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/ocp01.ocp.iad2.fedoraproject.org b/inventory/host_vars/ocp01.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..09be675ff2
--- /dev/null
+++ b/inventory/host_vars/ocp01.ocp.iad2.fedoraproject.org
@@ -0,0 +1,60 @@
+---
+freezes: false
+
+datacenter: iad2
+
+vmhost: vmhost-x86-04.iad2.fedoraproject.org,
+volgroup: /dev/vg_guests
+lvm_size: 120g
+mem_size: 16384
+max_mem_size: 16384
+num_cpus: 4
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.120
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+mac0: "{{ ansible_default_ipv4.macaddress }}"
+
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/controlplane.ign"
+rhcos_install_img_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+
+virt_install_command: "{{ virt_install_command_pxe_rhcos }}"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/ocp02.ocp.iad2.fedoraproject.org b/inventory/host_vars/ocp02.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..ed349bac86
--- /dev/null
+++ b/inventory/host_vars/ocp02.ocp.iad2.fedoraproject.org
@@ -0,0 +1,60 @@
+---
+freezes: false
+
+datacenter: iad2
+
+vmhost: vmhost-x86-05.iad2.fedoraproject.org,
+volgroup: /dev/vg_guests
+lvm_size: 120g
+mem_size: 16384
+max_mem_size: 16384
+num_cpus: 4
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.121
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+mac0: "{{ ansible_default_ipv4.macaddress }}"
+
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/controlplane.ign"
+rhcos_install_img_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+
+virt_install_command: "{{ virt_install_command_pxe_rhcos }}"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/ocp03.ocp.iad2.fedoraproject.org b/inventory/host_vars/ocp03.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..b43fbf59b4
--- /dev/null
+++ b/inventory/host_vars/ocp03.ocp.iad2.fedoraproject.org
@@ -0,0 +1,60 @@
+---
+freezes: false
+
+datacenter: iad2
+
+vmhost: vmhost-x86-06.iad2.fedoraproject.org,
+volgroup: /dev/vg_guests
+lvm_size: 120g
+mem_size: 16384
+max_mem_size: 16384
+num_cpus: 4
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.122
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+mac0: "{{ ansible_default_ipv4.macaddress }}"
+
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/controlplane.ign"
+rhcos_install_img_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+
+virt_install_command: "{{ virt_install_command_pxe_rhcos }}"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/worker01.ocp.iad2.fedoraproject.org b/inventory/host_vars/worker01.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..843797ff1e
--- /dev/null
+++ b/inventory/host_vars/worker01.ocp.iad2.fedoraproject.org
@@ -0,0 +1,57 @@
+---
+freezes: true
+
+datacenter: iad2
+
+arch: x86_64
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.123
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+pxe_bootdev: eno34
+install_dev: /dev/sda
+mac0: "68:05:CA:CE:A3:C9"
+
+rhcos_install_img_url: "http://10.3.163.165/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+rhcos_kernel_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-kernel.x86_64"
+rhcos_initrd_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-initramfs.x86_64.img"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/worker.ign"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/worker02.ocp.iad2.fedoraproject.org b/inventory/host_vars/worker02.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..07b4f385d7
--- /dev/null
+++ b/inventory/host_vars/worker02.ocp.iad2.fedoraproject.org
@@ -0,0 +1,57 @@
+---
+freezes: true
+
+datacenter: iad2
+
+arch: x86_64
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.124
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+pxe_bootdev: eno33
+install_dev: /dev/sda
+mac0: "68:05:CA:CE:A2:90"
+
+rhcos_install_img_url: "http://10.3.163.165/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+rhcos_kernel_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-kernel.x86_64"
+rhcos_initrd_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-initramfs.x86_64.img"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/worker.ign"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/host_vars/worker03.ocp.iad2.fedoraproject.org b/inventory/host_vars/worker03.ocp.iad2.fedoraproject.org
new file mode 100644
index 0000000000..4add7fb2c9
--- /dev/null
+++ b/inventory/host_vars/worker03.ocp.iad2.fedoraproject.org
@@ -0,0 +1,57 @@
+---
+freezes: true
+
+datacenter: iad2
+
+arch: x86_64
+
+dns1: 10.3.163.33
+dns2: 10.3.163.34
+
+dns_search1: "iad2.fedoraproject.org"
+dns_search3: "fedoraproject.org"
+
+has_ipv4: yes
+eth0_ipv4: 10.3.163.125
+eth0_ipv4_nm: 24
+eth0_ipv4_gw: 10.3.163.254
+eth0_ip: "{{eth0_ipv4}}"
+nm: 255.255.255.0
+gw: "{{ eth0_ipv4_gw }}"
+dns: "{{ dns1 }}"
+
+pxe_bootdev: eno33
+install_dev: /dev/sda
+mac0: "68:05:CA:CE:A7:4C"
+
+rhcos_install_img_url: "http://10.3.163.165/rhcos/rhcos-{{ rhcos_version }}-x86_64-metal.x86_64.raw.gz"
+rhcos_install_url: "http://10.3.163.65/rhcos/"
+rhcos_kernel_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-kernel.x86_64"
+rhcos_initrd_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-initramfs.x86_64.img"
+rhcos_install_rootfs_url: "http://10.3.163.65/rhcos/rhcos-{{ rhcos_version }}-x86_64-live-rootfs.x86_64.img"
+rhcos_ignition_file_url: "http://10.3.163.65/rhcos/worker.ign"
+
+network_connections:
+  - name: eth0
+    mac: "{{ mac0 }}"
+    state: up
+    type: ethernet
+    autoconnect: yes
+    ip:
+      address:
+      - "{{ eth0_ipv4 }}/{{ eth0_ipv4_nm }}"
+      gateway4: "{{ eth0_ipv4_gw }}"
+      dns:
+      - "{{ dns1 }}"
+      - "{{ dns2 }}"
+      dns_search:
+      - "{{ dns_search1 }}"
+      - "{{ dns_search2 }}"
+      - "{{ dns_search3 }}"
+      dhcp4: no
+      auto6: no
+
+vpn: true
+
+nrpe_procs_warn: 1200
+nrpe_procs_crit: 1400
diff --git a/inventory/inventory b/inventory/inventory
index ca89e9d689..21f22c4ea4 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -1054,6 +1054,29 @@ osbs_nodes_stg
 osbs_aarch64_masters_stg
 osbs_aarch64_nodes_stg
 
+[ocp:children]
+os_control
+ocp_controlplane
+ocp_workers
+ocp_boostrap
+
+[ocp_vms:children]
+ocp_boostrap
+ocp_controlplane
+
+[ocp_controlplane]
+ocp01.ocp.iad2.fedoraproject.org
+ocp02.ocp.iad2.fedoraproject.org
+ocp03.ocp.iad2.fedoraproject.org
+
+[ocp_workers]
+worker01.ocp.iad2.fedoraproject.org
+worker02.ocp.iad2.fedoraproject.org
+worker03.ocp.iad2.fedoraproject.org
+
+[ocp_boostrap]
+bootstrap.ocp.iad2.fedoraproject.org
+
 [ocp_stg:children]
 os_control_stg
 ocp_controlplane_stg
diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml
index a5bb825937..b181c689df 100644
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -48,6 +48,12 @@
     tags:
     - app.os.fedoraproject.org
 
+  - role: httpd/certificate
+    certname: wildcard-2021.apps.ocp.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2021.apps.fedoraproject.org.intermediate.cert
+    tags:
+    - apps.ocp.fedoraproject.org
+
   - role: httpd/certificate
     certname: getfedora.org
     SSLCertificateChainFile: getfedora.org.intermediate.cert
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index d8e0fd0494..179233231d 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -628,7 +628,7 @@
     balancer_name: ocp
     targettype: openshift
     ocp4: true
-    balancer_members: "{{ ocp_nodes }}"
+    balancer_members: "{{ ocp_nodes_stg }}"
     keephost: true
     tags:
     - ocp.fedoraproject.org
@@ -640,12 +640,36 @@
     balancer_name: apps-ocp
     targettype: openshift
     ocp4: true
-    balancer_members: "{{ ocp_nodes }}"
+    balancer_members: "{{ ocp_nodes_stg }}"
     keephost: true
     tags:
     - apps.ocp.fedoraproject.org
     when: env == "staging"
 
+  - role: httpd/reverseproxy
+    website: "ocp{{ env_suffix }}.fedoraproject.org"
+    destname: ocp
+    balancer_name: ocp
+    targettype: openshift
+    ocp4: true
+    balancer_members: "{{ ocp_nodes }}"
+    keephost: true
+    tags:
+    - ocp.fedoraproject.org
+    when: env == "production"
+
+  - role: httpd/reverseproxy
+    website: "apps.ocp{{ env_suffix }}.fedoraproject.org"
+    destname: apps.ocp
+    balancer_name: apps-ocp
+    targettype: openshift
+    ocp4: true
+    balancer_members: "{{ ocp_nodes }}"
+    keephost: true
+    tags:
+    - apps.ocp.fedoraproject.org
+    when: env == "production"
+
   - role: httpd/reverseproxy
     website: "provision{{ env_suffix }}.fedoraproject.org"
     destname: zezere
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 1186362e76..59ed9cbb26 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -712,6 +712,30 @@
     - apps.ocp.stg.fedoraproject.org
     when: env == "staging"
 
+  - role: httpd/website
+    site_name: ocp.fedoraproject.org
+    sslonly: true
+    cert_name: "{{wildcard_cert_name}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - ocp.fedoraproject.org
+    when: env == "prod"
+
+  - role: httpd/website
+    site_name: apps.ocp.fedoraproject.org
+    server_aliases: ["*.apps.ocp.fedoraproject.org", api.apps.ocp.fedoraproject.org]
+    sslonly: true
+    cert_name: "{{ocp_wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{ocp_wildcard_int_file}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - apps.ocp.fedoraproject.org
+    when: env == "prod"
+
   - role: httpd/website
     site_name: registry.fedoraproject.org
     server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org]
diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org
index 26f31047fc..bd6349c82e 100644
--- a/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org
+++ b/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org
@@ -548,6 +548,31 @@ host centos01 {
      option subnet-mask 255.255.255.0;
 }
 
+# Production network
+host worker01-ocp {
+     hardware ethernet 68:05:CA:CE:A3:C9;
+     fixed-address 10.3.163.123;
+     filename "uefi/grubx64.efi";
+     next-server 10.3.163.10;
+     option routers 10.3.163.254;
+     option subnet-mask 255.255.255.0;
+}
+host worker02-ocp {
+     hardware ethernet 68:05:CA:CE:A2:90;
+     fixed-address 10.3.163.124;
+     filename "uefi/grubx64.efi";
+     next-server 10.3.163.10;
+     option routers 10.3.163.254;
+     option subnet-mask 255.255.255.0;
+}
+host worker03-ocp {
+     hardware ethernet 68:05:CA:CE:A7:4C;
+     fixed-address 10.3.163.125;
+     filename "uefi/grubx64.efi";
+     next-server 10.3.163.10;
+     option routers 10.3.163.254;
+     option subnet-mask 255.255.255.0;
+}
 # Staging network
 host worker01-ocp-stg {
      hardware ethernet 68:05:CA:CE:A2:AC;
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index c0f553e0a1..d90db19b14 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -37,6 +37,34 @@ backend stats-backend
     stats enable
     stats uri /
 
+{% if env == "production" %}
+frontend ocp-masters-kapi
+    mode tcp
+    bind 0.0.0.0:6443
+    default_backend ocp-masters-backend-kapi
+
+backend ocp-masters-backend-kapi
+    mode tcp
+    server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+    server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+# temp bootstrap node
+    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
+
+frontend ocp-masters-machineconfig
+    mode tcp
+    bind 0.0.0.0:22623
+    default_backend ocp-masters-backend-machineconfig
+
+backend ocp-masters-backend-machineconfig
+    mode tcp
+    server  ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+    server  ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+# temp bootstrap node
+    server  bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
+{% endif %}
+
 {% if env != "production" %}
 frontend ocp-masters-kapi
     mode tcp