diff --git a/.pipeline/clean-nsps.js b/.pipeline/clean-knps.js
similarity index 73%
rename from .pipeline/clean-nsps.js
rename to .pipeline/clean-knps.js
index 1c779a387..09073f139 100755
--- a/.pipeline/clean-nsps.js
+++ b/.pipeline/clean-knps.js
@@ -1,5 +1,5 @@
 'use strict';
 const settings = require('./lib/config.js')
-const task = require('./lib/clean-nsps.js')
+const task = require('./lib/clean-knps.js')
 
 task(Object.assign(settings, { phase: settings.options.env}));
diff --git a/.pipeline/deploy-nsps.js b/.pipeline/deploy-db.js
similarity index 73%
rename from .pipeline/deploy-nsps.js
rename to .pipeline/deploy-db.js
index cdfb7480b..99bc344f0 100755
--- a/.pipeline/deploy-nsps.js
+++ b/.pipeline/deploy-db.js
@@ -1,5 +1,5 @@
 'use strict';
 const settings = require('./lib/config.js')
-const task = require('./lib/deploy-nsps.js')
+const task = require('./lib/deploy-db.js')
 
 task(Object.assign(settings, { phase: settings.options.env}));
diff --git a/.pipeline/deploy-knps.js b/.pipeline/deploy-knps.js
new file mode 100755
index 000000000..a32f77476
--- /dev/null
+++ b/.pipeline/deploy-knps.js
@@ -0,0 +1,5 @@
+'use strict';
+const settings = require('./lib/config.js')
+const task = require('./lib/deploy-knps.js')
+
+task(Object.assign(settings, { phase: settings.options.env}));
diff --git a/.pipeline/lib/clean-nsps.js b/.pipeline/lib/clean-knps.js
similarity index 88%
rename from .pipeline/lib/clean-nsps.js
rename to .pipeline/lib/clean-knps.js
index 4d1c7aa3c..057239984 100755
--- a/.pipeline/lib/clean-nsps.js
+++ b/.pipeline/lib/clean-knps.js
@@ -29,12 +29,12 @@ module.exports = settings => {
       oc.namespace(phase.namespace);
       
       //remove all custom security policies create for specific pull request
-      const nsps = oc.get("networksecuritypolicies", {
+      const knps = oc.get("networkpolicies", {
         selector: `app=${phase.name}${phase.suffix}`,
         namespace: phase.namespace,
       });   
-      nsps.forEach(nsp => {
-        oc.delete([`networksecuritypolicy/${nsp.metadata.name}`], {
+      knps.forEach(knp => {
+        oc.delete([`networkpolicy/${knp.metadata.name}`], {
             "ignore-not-found": "true",
             wait: "true",
             namespace: phase.namespace,
diff --git a/.pipeline/lib/config.js b/.pipeline/lib/config.js
index 92b982857..409e03ffb 100644
--- a/.pipeline/lib/config.js
+++ b/.pipeline/lib/config.js
@@ -7,7 +7,7 @@ const ocpName = 'apps.silver.devops'
 const phases = {
   build: {  namespace:'0ab226-tools'    , name: `${name}`, phase: 'build'  , changeId:changeId, suffix: `-build-${changeId}`  , 
             instance: `${name}-build-${changeId}`  , version:`${version}-${changeId}`, tag:`build-${version}-${changeId}`,
-            releaseBranch: 'openshift-v4-migration'
+            releaseBranch: 'release-1.6.23'
           },
   dev: {namespace:'0ab226-dev'    , name: `${name}`, phase: 'dev'  , changeId:changeId, suffix: `-dev-${changeId}`  , 
         instance: `${name}-dev-${changeId}`  , version:`${version}-${changeId}`, tag:`dev-${version}-${changeId}`,
diff --git a/.pipeline/lib/deploy-db.js b/.pipeline/lib/deploy-db.js
new file mode 100644
index 000000000..8e3371aaa
--- /dev/null
+++ b/.pipeline/lib/deploy-db.js
@@ -0,0 +1,76 @@
+"use strict";
+const { OpenShiftClientX } = require("@bcgov/pipeline-cli");
+const path = require("path");
+
+module.exports = settings => {
+  const phases = settings.phases;
+  const options = settings.options;
+  const phase = options.env;
+  const changeId = phases[phase].changeId;
+  const oc = new OpenShiftClientX(Object.assign({ namespace: phases[phase].namespace }, options));
+
+  const templatesLocalBaseUrl = oc.toFileUrl(path.resolve(__dirname, "../../openshift-v4"));
+  var objects = [];
+
+  //The deployment of your cool app goes here ▼▼▼
+
+  if(phases[phase].phase === 'dev') {
+  
+    //deploy Patroni
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/patroni/deployment-prereq.yaml`, {
+    'param': {
+      'NAME': 'patroni',
+      'SUFFIX': phases[phase].suffix
+    }
+    }))
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/patroni/deployment.yaml`, {
+      'param': {
+        'NAME': 'patroni',
+        'ENV_NAME': phases[phase].phase,
+        'SUFFIX': phases[phase].suffix,
+        'CPU_REQUEST': phases[phase].patroniCpuRequest,
+        'CPU_LIMIT': phases[phase].patroniCpuLimit,
+        'MEMORY_REQUEST': phases[phase].patroniMemoryRequest,
+        'MEMORY_LIMIT': phases[phase].patroniMemoryLimit,
+        'IMAGE_REGISTRY': 'image-registry.openshift-image-registry.svc:5000',
+        'IMAGE_STREAM_NAMESPACE': phases[phase].namespace,
+        'IMAGE_STREAM_TAG': 'patroni:v10-stable',
+        'REPLICA': phases[phase].patroniReplica,
+        'PVC_SIZE': phases[phase].patroniPvcSize,
+        'STORAGE_CLASS': phases[phase].storageClass
+      }
+    }))
+
+    //deploy rabbitmq, use docker image directly
+    //POST_START_SLEEP is harded coded in the rabbitmq template, replacement was not successful
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/rabbitmq/rabbitmq-cluster-dc.yaml`, {
+      'param': {
+        'NAME': phases[phase].name,
+        'ENV_NAME': phases[phase].phase,
+        'SUFFIX': phases[phase].suffix,
+        'NAMESPACE': phases[phase].namespace,
+        'CLUSTER_NAME': 'rabbitmq-cluster',
+        'ISTAG': 'rabbitmq:3.8.3-management',
+        'SERVICE_ACCOUNT': 'rabbitmq-discovery',
+        'VOLUME_SIZE': phases[phase].rabbitmqPvcSize,
+        'CPU_REQUEST': phases[phase].rabbitmqCpuRequest,
+        'CPU_LIMIT': phases[phase].rabbitmqCpuLimit,
+        'MEMORY_REQUEST': phases[phase].rabbitmqMemoryRequest,
+        'MEMORY_LIMIT': phases[phase].rabbitmqMemoryLimit,
+        'REPLICA': phases[phase].rabbitmqReplica,
+        'POST_START_SLEEP': phases[phase].rabbitmqPostStartSleep,
+        'STORAGE_CLASS': phases[phase].storageClass
+      }
+    }))
+  }
+  
+  oc.applyRecommendedLabels(
+    objects,
+    phases[phase].name,
+    phase,
+    `${changeId}`,
+    phases[phase].instance,
+  );
+  oc.importImageStreams(objects, phases[phase].tag, phases.build.namespace, phases.build.tag);
+  oc.applyAndDeploy(objects, phases[phase].instance);
+};
diff --git a/.pipeline/lib/deploy-nsps.js b/.pipeline/lib/deploy-knps.js
similarity index 81%
rename from .pipeline/lib/deploy-nsps.js
rename to .pipeline/lib/deploy-knps.js
index 873c47275..9d6b35fb2 100755
--- a/.pipeline/lib/deploy-nsps.js
+++ b/.pipeline/lib/deploy-knps.js
@@ -15,12 +15,10 @@ module.exports = settings => {
 
   //The deployment of your cool app goes here ▼▼▼
 
-  objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/nsp/nsp-env.yaml`, {
+  objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/knp/knp-env-pr.yaml`, {
     'param': {
-      'NAME': phases[phase].name,
-      'ENV_NAME': phases[phase].phase,
-      'SUFFIX': phases[phase].suffix,
-      'API_VERSION': 'security.devops.gov.bc.ca/v1alpha1'
+      'ENVIRONMENT': phases[phase].phase,
+      'SUFFIX': phases[phase].suffix
     }
   }))
   
diff --git a/.pipeline/lib/deploy.js b/.pipeline/lib/deploy.js
index cab70ea28..00f486dc3 100755
--- a/.pipeline/lib/deploy.js
+++ b/.pipeline/lib/deploy.js
@@ -14,57 +14,6 @@ module.exports = settings => {
   var objects = [];
 
   //The deployment of your cool app goes here ▼▼▼
-/*
-  if(phases[phase].phase === 'dev') {
-  
-    //deploy Patroni
-    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/patroni/deployment-prereq.yaml`, {
-    'param': {
-      'NAME': 'patroni',
-      'SUFFIX': phases[phase].suffix
-    }
-    }))
-    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/patroni/deployment.yaml`, {
-      'param': {
-        'NAME': 'patroni',
-        'ENV_NAME': phases[phase].phase,
-        'SUFFIX': phases[phase].suffix,
-        'CPU_REQUEST': phases[phase].patroniCpuRequest,
-        'CPU_LIMIT': phases[phase].patroniCpuLimit,
-        'MEMORY_REQUEST': phases[phase].patroniMemoryRequest,
-        'MEMORY_LIMIT': phases[phase].patroniMemoryLimit,
-        'IMAGE_REGISTRY': 'image-registry.openshift-image-registry.svc:5000',
-        'IMAGE_STREAM_NAMESPACE': phases[phase].namespace,
-        'IMAGE_STREAM_TAG': 'patroni:v10-stable',
-        'REPLICA': phases[phase].patroniReplica,
-        'PVC_SIZE': phases[phase].patroniPvcSize,
-        'STORAGE_CLASS': phases[phase].storageClass
-      }
-    }))
-
-    //deploy rabbitmq, use docker image directly
-    //POST_START_SLEEP is harded coded in the rabbitmq template, replacement was not successful
-    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/rabbitmq/rabbitmq-cluster-dc.yaml`, {
-      'param': {
-        'NAME': phases[phase].name,
-        'ENV_NAME': phases[phase].phase,
-        'SUFFIX': phases[phase].suffix,
-        'NAMESPACE': phases[phase].namespace,
-        'CLUSTER_NAME': 'rabbitmq-cluster',
-        'ISTAG': 'rabbitmq:3.8.3-management',
-        'SERVICE_ACCOUNT': 'rabbitmq-discovery',
-        'VOLUME_SIZE': phases[phase].rabbitmqPvcSize,
-        'CPU_REQUEST': phases[phase].rabbitmqCpuRequest,
-        'CPU_LIMIT': phases[phase].rabbitmqCpuLimit,
-        'MEMORY_REQUEST': phases[phase].rabbitmqMemoryRequest,
-        'MEMORY_LIMIT': phases[phase].rabbitmqMemoryLimit,
-        'REPLICA': phases[phase].rabbitmqReplica,
-        'POST_START_SLEEP': phases[phase].rabbitmqPostStartSleep,
-        'STORAGE_CLASS': phases[phase].storageClass
-      }
-    }))
-  }
-*/
 
   //deploy backend
   objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/backend/backend-dc.yaml`, {
@@ -90,31 +39,6 @@ module.exports = settings => {
     }
   }))
 
-/*
-  //deploy backend others
-  objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/backend/backend-dc-others.yaml`, {
-    'param': {
-      'NAME': phases[phase].name,
-      'SUFFIX': phases[phase].suffix,
-      'BACKEND_HOST':phases[phase].backendHost
-    }
-  }))
- 
-  //deploy frontend
-  objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/frontend/frontend-dc-others.yaml`, {
-    'param': {
-      'NAME': phases[phase].name,
-      'SUFFIX': phases[phase].suffix,
-      'VERSION': phases[phase].tag,
-      'KEYCLOAK_AUTHORITY': phases[phase].frontendKeycloakAuthority,
-      'KEYCLOAK_CLIENT_ID': phases[phase].frontendKeycloakClientId,
-      'KEYCLOAK_CALLBACK_URL': phases[phase].frontendKeycloakCallbackUrl,
-      'KEYCLOAK_LOGOUT_URL': phases[phase].frontendKeycloakLogoutUrl,
-      'FRONTEND_HOST': phases[phase].frontendHost,
-      'BACKEND_HOST': phases[phase].backendHost
-    }
-  }))
-
   objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/frontend/frontend-dc.yaml`, {
     'param': {
       'NAME': phases[phase].name,
@@ -144,15 +68,6 @@ module.exports = settings => {
     }
   })) 
 
-  //deploy notification server
-  objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/notification/notification-server-others-dc.yaml`, {
-    'param': {
-      'NAME': phases[phase].name,
-      'SUFFIX': phases[phase].suffix,
-      'FRONTEND_HOST': phases[phase].frontendHost
-    }
-  }))
-
   //deploy notification server
   objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/notification/notification-server-dc.yaml`, {
     'param': {
@@ -197,6 +112,40 @@ module.exports = settings => {
     }
   }))
 
+  //only deploy on dev for Tracking PR
+  if(phases[phase].phase === 'dev') {
+
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/frontend/frontend-dc-others.yaml`, {
+      'param': {
+        'NAME': phases[phase].name,
+        'SUFFIX': phases[phase].suffix,
+        'VERSION': phases[phase].tag,
+        'KEYCLOAK_AUTHORITY': phases[phase].frontendKeycloakAuthority,
+        'KEYCLOAK_CLIENT_ID': phases[phase].frontendKeycloakClientId,
+        'KEYCLOAK_CALLBACK_URL': phases[phase].frontendKeycloakCallbackUrl,
+        'KEYCLOAK_LOGOUT_URL': phases[phase].frontendKeycloakLogoutUrl,
+        'FRONTEND_HOST': phases[phase].frontendHost,
+        'BACKEND_HOST': phases[phase].backendHost
+      }
+    }))
+
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/notification/notification-server-others-dc.yaml`, {
+      'param': {
+        'NAME': phases[phase].name,
+        'SUFFIX': phases[phase].suffix,
+        'FRONTEND_HOST': phases[phase].frontendHost
+      }
+    }))  
+
+    objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/backend/backend-dc-others.yaml`, {
+      'param': {
+        'NAME': phases[phase].name,
+        'SUFFIX': phases[phase].suffix,
+        'BACKEND_HOST':phases[phase].backendHost
+      }
+    }))  
+  }
+
   //only deploy schemaspy for test and prod
   if(phases[phase].phase === 'test' || phases[phase].phase === 'prod') {
     objects = objects.concat(oc.processDeploymentTemplate(`${templatesLocalBaseUrl}/templates/schema-spy/schemaspy-dc.yaml`, {
@@ -215,7 +164,7 @@ module.exports = settings => {
       }
     }))
   }
-*/
+
   oc.applyRecommendedLabels(
     objects,
     phases[phase].name,
diff --git a/.pipeline/package.json b/.pipeline/package.json
index cd953c07f..471d5c744 100644
--- a/.pipeline/package.json
+++ b/.pipeline/package.json
@@ -8,10 +8,11 @@
   "scripts": {
     "build": "node build.js",
     "clean": "node clean.js",
-    "clean-nsps": "node clean-nsps.js",
+    "clean-knps": "node clean-knps.js",
     "deploy": "node deploy.js",
-    "deploy-nsps": "node deploy-nsps.js",
+    "deploy-knps": "node deploy-knps.js",
     "deploy-unittest": "node deploy-unittest.js",
+    "deploy-db": "node deploy-db.js",
     "version": "echo \"node@$(node --version) ($(which node))\" && echo \"npm@$(npm --version) ($(which npm))\" && npm ls"
   },
   "repository": {
diff --git a/frontend/src/actions/documentUploads.js b/frontend/src/actions/documentUploads.js
index 78bcd4f1f..b9032dadc 100644
--- a/frontend/src/actions/documentUploads.js
+++ b/frontend/src/actions/documentUploads.js
@@ -285,7 +285,10 @@ const updateDocumentUploadSuccess = response => ({
 
 const uploadDocument = (url, blob, callback = null) => dispatch => (
   axios.put(url, blob, {
-    'content-type': 'multipart/form-data',
+    transformRequest: (data, headers) => {
+      headers.Authorization = null;
+      return data;
+    },
     onUploadProgress: (progressEvent) => {
       if (callback) {
         callback(progressEvent);
diff --git a/frontend/src/secure_file_submission/components/SecureFileSubmissionFileAttachments.js b/frontend/src/secure_file_submission/components/SecureFileSubmissionFileAttachments.js
index 873e9c1b1..f694701a6 100644
--- a/frontend/src/secure_file_submission/components/SecureFileSubmissionFileAttachments.js
+++ b/frontend/src/secure_file_submission/components/SecureFileSubmissionFileAttachments.js
@@ -30,6 +30,9 @@ const SecureFileSubmissionFileAttachments = props => (
             className="text"
             onClick={() => {
               axios.get(attachment.url, {
+                transformRequest: (data, headers) => {
+                  headers.Authorization = null;
+                },
                 responseType: 'blob'
               }).then((response) => {
                 const objectURL =
diff --git a/maintenance/Caddyfile b/maintenance/Caddyfile
deleted file mode 100644
index 8f3266e6a..000000000
--- a/maintenance/Caddyfile
+++ /dev/null
@@ -1,7 +0,0 @@
-0.0.0.0:2015
-
-root * /var/www/html
-
-log stdout
-
-rewrite * /maintenance.html
diff --git a/openshift-v4/templates/Readmd.md b/openshift-v4/templates/Readmd.md
new file mode 100644
index 000000000..75d85cb3e
--- /dev/null
+++ b/openshift-v4/templates/Readmd.md
@@ -0,0 +1,29 @@
+## Create tracking PR
+* Create release branch from master and make it as the default branch
+* Create a Tracking PR to bring the release branch to master
+* All other PRs target the release PR
+* Only deploy the Tracking PR to Dev, test and Prod, not any other single PR
+
+## Build tracking PR
+* Update .pipeline/config.js releaseBranch to be the release branch
+* Under .pipeline,  npm run build -- --pr= --env=build
+
+## Deploy tracking PR
+
+### deploy database for the PR on Dev
+* Create knps for the PR
+npm run deploy-knps -- --pr= --env=dev
+* Deploy the patroni
+npm run deploy-db -- --pr= --env=dev
+* Update user and restore the backup to database
+Refer to the last section of openshift-v4/templates/patroni/README.md, remember to verify the Dev database user
+* Add tfrs user and /tfrs vhost to rabbitmq
+Refer to the last section of penshift-v4/templates/rabbitmq
+* Deploy PR 
+npm run deploy -- --pr= --env=dev
+
+### deploy database for the PR on Test or Prod
+* Only need to deploy compiled components, nothing else as all others are already there
+npm run deploy -- --pr= --env=test
+npm run deploy -- --pr= --env=prod
+
diff --git a/openshift-v4/templates/celery/celery-bc.yaml b/openshift-v4/templates/celery/celery-bc.yaml
index 66202f197..0614265ea 100644
--- a/openshift-v4/templates/celery/celery-bc.yaml
+++ b/openshift-v4/templates/celery/celery-bc.yaml
@@ -71,6 +71,8 @@ objects:
     strategy:
       type: Docker
       dockerStrategy:
+        pullSecret:
+          name: docker-creds              
         noCache: true
         env:
         - name: tfrs_release
diff --git a/openshift-v4/templates/knp/README.md b/openshift-v4/templates/knp/README.md
new file mode 100644
index 000000000..58bc1a73f
--- /dev/null
+++ b/openshift-v4/templates/knp/README.md
@@ -0,0 +1,36 @@
+
+## For Aporeto network security policies  
+
+### remove all Aporeto network security policies  
+oc get nsp -n <namespace>
+oc delete nsp,en --all -n <namespace>
+
+### Apply generic Aporeto network security policies
+oc process -f nsp-generic.yaml NAMESPACE_PREFIX=<LICENS_PLATE_HERE> ENVIRONMENT=<ENVIRONMENT_NAME_HERE> | oc apply -f - -n <namespace>
+Note: once it is applied, the application will NOT be blocked by Aporeto. Aporeto should become transparent.
+
+## For the new network policies
+
+### For tools project, apply quick start  
+oc process -f knp-quick-start.yaml NAMESPACE_PREFIX=<LICENS_PLATE_HERE> ENVIRONMENT=<ENVIRONMENT_NAME_HERE> | oc apply -f - -n <namespace>
+Note : the quick start include three knps: deny-by-default, allow-from-openshift-ingress and allow-all-internal. Once the quick start is applied, the application will NOT be blocked by Openshift network policies.
+
+### For environment projects
+oc process -f knp-env-base.yaml | oc create -f - -n <Namespace>
+oc process -f knp-env-non-pr.yaml ENVIRONMENT=<ENVIRONMENT_NAME_HERE> | oc create -f - -n <Namespace>
+#### For Dev
+Apply knp-env-pr.yaml through pipeline
+#### For Test and Prod
+oc process -f knp-env-pr.yaml SUFFIX=-test ENVIRONMENT=test | oc create -f - -n <Namespace>
+oc process -f knp-env-pr.yaml SUFFIX=-prod ENVIRONMENT=prod | oc create -f - -n <Namespace>
+
+## Setup the new network policies on Test
+oc get nsp -n 0ab226-test
+oc delete nsp,en --all -n 0ab226-test
+oc process -f nsp-generic.yaml NAMESPACE_PREFIX=0ab226 ENVIRONMENT=test | oc apply -f - -n 0ab226-test
+oc process -f knp-env-base.yaml ENVIRONMENT=test | oc create -f - -n 0ab226-test 
+oc process -f knp-env-non-pr.yaml ENVIRONMENT=test | oc create -f - -n 0ab226-test
+oc process -f knp-env-pr.yaml SUFFIX=-test ENVIRONMENT=test | oc create -f - -n 0ab226-test
+
+
+    
\ No newline at end of file
diff --git a/openshift-v4/templates/knp/knp-diagram.drawio b/openshift-v4/templates/knp/knp-diagram.drawio
new file mode 100644
index 000000000..94222f1de
--- /dev/null
+++ b/openshift-v4/templates/knp/knp-diagram.drawio
@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2021-03-03T19:52:49.579Z" agent="5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36" etag="PLM-8XQxviG2i1YamTnQ" version="14.4.3" type="device"><diagram id="AIra0pvackN1RxZxVPas" name="Page-1">5V1de5u4Ev41uSQPQnzYl0maNO1p93Q323Pa3GGQbTYYsYBje3/9CltgkISNY0By2lzUDDKIeedLMyN8Be8W64+JG8+/Yh+FV4bur6/ghyvDALozIv/llA2lOMDeUWZJ4FPanvAU/IOKr1LqMvBRWhuYYRxmQVwnejiKkJfVaG6S4FV92BSH9bvG7gxxhCfPDXnq/wM/m++oI0vf0x9RMJsXdwY6PbNwi8GUkM5dH68qJHh/Be8SjLPdp8X6DoU59wq+7L730HC2nFiCoqzNFybm82/GV+uP6befN3///vWvxzvoa8Cik8s2xRMjnzCAHuIkm+MZjtzwfk+9TfAy8lF+WZ0c7cd8wTgmRECIf6Es21A03WWGCWmeLUJ6Ns0S/ILucIiT7T2hDsgfJGf4h6LPmeJl4qFDT0KFw01mKDswDu7G5U9ZuQFl2UeEFyhLNmRAgkI3C17rYuBSaZqV4/YMJx8oz0/h/+66r264pHeaJjjKUORfGXZInuN2kpBPs/zTSB/pPFphSFQhR2U1DzL0FLtbLq2IOtZ57qbxTj+mwTrHrpnVryjJ0Pogc+hZ6NAJUe3WgEkJq4quUNK8oiYFrXN+GqYMeUbrIPtBv55//lmhf1hXTnzY0IM+NAC21ICxUhpgSLFAhLnJZgvZtVUc/iyAyg/2sG2PVMANGGoBZ8tUNVBRNYqhksoG1PI3hqMMaMpCNlIKMchFCBPXe7nQAMGRHB5AOeFB6WxOcTVTEgdWFODhYUz+9aQa5kWGDlCNxYttPzzY9iD8h0ApAEzONkU4C6aBR+6NIy1FCTEVl2CnLHYhY+iyFzIjqZYKVC0VOGKp+rBI1kVaJGN8OaipsWhti7NicTQUGLBBV62OU1+3Xo8d5xjg+dE3lASEBSg5IAXDh+ZtpUCx0NyQLATWKfreR9zSFrfu4xb61W84IHMu/fjYqPvx0o0Xl9jNlH6Lgb+cxtslwuICIg+FiIqaMtGOw0Q70JK9LJOSSurDkNlt3ZlauTwoJy0kXBdfRtzSFmi14lMod1VxNs7DRyatFVpafPp4/+lH6sUfJ8GP359f4W8TfSaqK06Q5y6Jx8lL5Tjxg8jNCJvIrT0PpSlKycdFEAX4chYwTIKsBLuPQKetGLQOdKgr1vRr0zSMmjvWbHr81mCoGIKn0xT1EufYnHilnhtpNclSOeKxgOyIR6FEgYyap3OR7tOUvOo/BTU13GdbnNVa2Dti8zZ3Iz9Eqpk2yKSuBS04Y4FpG/dl2kYc82KXSFYU8IUAy8xTKHx5QBeEqTJ5bI4b0gqy3MeY43HiTiZBtvhbwGTbETAZ7Mgqcbns+VSFyyZUx9zLqMEUeFyY9S6mzbRMLGMSn0aZG0SqmfCyZ5gKvjmSLPhATmtXV4ntLkS/bTtx5wGqOLENRoxtZN13z4ltIHe9cqJEiPrNhk8RtpYhxWqbRTriMrCWipxijo/P+kXuLMCpWu7OYFYsZrEJpeLubIt3dwXtHL4Z9vpTCo1/vOhltfjP3QtYoe8akLppoH1TbEMiYK8vCiRKi8KWrJLwTZK4m8qAOPeIabNjNYuSSLFBbcTsomLG28xS8OTxls7I627G3XprgzMEXugu3Fd+HQghECS1VOoZLjfQSYuG+RZsWilhmTnWdcWYaTO2FtjDMTOefVn7waO9maVR/DJ5uv3v+HNRmFJhSX3ccJY51HKDyRuyqB0YVaPtQlxae7AQaylxpFT+SwvkhfxXKH3VXtfOWLMNiXQ/6/5ToxfA9LsBGs00RSPseMPsNhoRiqFKe27eaPIVFkQgzeYfnHclWELrDCUEO7UiI6uuCQPuTBMqiZxd0Ce30jV0EBxVqz5UBLbN0iiWX4N8mkZNFRkxKzEwYNfMeP38v80fM7x5jqzvyy+rP28+WYK9sBzDvGXyulWJnYD6N/k7YMghWf+maeC1SMEc2UyuTg/NqKX4t01SVlC1BKgWtDMrGVZTLb24xO65uUoGfyGbvZBdv1BDSeTUGMs2xRNunFfPGR+hZvANeb+yZoxbakbbIH4YzYDAubbqogbfqBvQZi8FWKPckXbwdyom3Tg37jGZHOrZGiJO8nMa4sbEh94QWkORhHjJ7FBuIcJR7pinQRgyJDcMZlGuWkRy8512t7nPDTw3vKEnFoHvh01evR7WdeDHDdNgOC7qMNgDWZVtowNfLsSDT1FH7gLtAKENY9qubeP9AjOya6hYguQsgAKD0xsoogBrl+ROYzcq0txeuEwJ+zQeMB+9apbl8JnxgkJmVb2SotDmBbNi6aV3gLPJhBBQ0NkGnCGBFry5oQQzmyapRl8ys0dUSaA6wAYy2IgqJCVtEGz4TaQMNrs9pe8fGofJ0ZhQAI0oIOsNGj7MZqHZllm1DKXZ+8UFMllkKMgLDOu3+IZ9BpfirZrvX2mgWQ/1NOn2jN8QwIDD7h1THKSmdpouLB6og2cLAoUSqEHA43caiMCjO2N+XeBGjEnU+JY2INqF0xtugiZ4BjjBq7p+XfwsdhdVWSmVpnnCbs4agtsuJJVjjT4tJbNnwpAegwjaxMoM0xYuqlxasVVLo+voXw+8ps0MVV3rC7tH5+nzav0pQl/u9JvF4zLLfjzL6VR621sPGtlfzYoLH1JaU7s4D8xqMGz5rqZTM9RjZhVp2Id7ZI6MPzs7LcRG7kvQTyzmS2iLPEugh3r7GNCZkiRg6zfd7dI6xJCKB3ry5mjhpnH+dN+WkzDwLuF1rGO2RixI/PTVeCBk7NG8T7rls0YYrcVbNqsclnWBECPpohRQGZIN4sKlvNnqzOK18EGcYYwV1z7hDON+4ZENM5z7dbotDh/ieYPhvFn6QXYJdhPobEw14O/xCBnbIn1UGk43Z/N7t5tsSWPINMNscW+a6Oufn2+/u8az9+CGIyB7k8BpP78jNI1HzazwuU9aDZ1hfc8Chw/oaF2WSG3npoeTYgFjmxNoDtPTw8u1qMDNOp3OOMcXuHGMonQeTLPrfOveg4/iEG9QosXYv842MTVKc4xfNBF3VTJB5yHFFLwFrUBdJV/I4f73DXe+ev8zkfD+Xw==</diagram></mxfile>
\ No newline at end of file
diff --git a/openshift-v4/templates/knp/knp-env-base.yaml b/openshift-v4/templates/knp/knp-env-base.yaml
new file mode 100644
index 000000000..a793d4b52
--- /dev/null
+++ b/openshift-v4/templates/knp/knp-env-base.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+  template: tfrs-network-policy
+metadata:
+  name: tfrs-network-policy
+objects:
+  ## Base Network Policies
+  - kind: NetworkPolicy
+    apiVersion: networking.k8s.io/v1
+    metadata:
+      name: deny-by-default
+    spec:
+      # The default posture for a security first namespace is to
+      # deny all traffic. If not added this rule will be added
+      # by Platform Services during environment cut-over.
+      podSelector: {}
+      ingress: []
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-from-openshift-ingress
+    spec:
+      # This policy allows any pod with a route & service combination
+      # to accept traffic from the OpenShift router pods. This is
+      # required for things outside of OpenShift (like the Internet)
+      # to reach your pods.
+      ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: ingress
+      podSelector: {}
+      policyTypes:
+        - Ingress      
diff --git a/openshift-v4/templates/knp/knp-env-non-pr.yaml b/openshift-v4/templates/knp/knp-env-non-pr.yaml
new file mode 100644
index 000000000..6d8d9d684
--- /dev/null
+++ b/openshift-v4/templates/knp/knp-env-non-pr.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+  template: tfrs-network-policy
+metadata:
+  name: tfrs-network-policy
+parameters:
+  - name: ENVIRONMENT
+    displayName: null
+    description: such as dev, test or prod
+    required: true  
+objects:
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-minio-accepts-nagios
+    spec:
+      ## Allow minio to accept communication from nagios
+      podSelector:
+        matchLabels:
+          app: tfrs-minio-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app: nagios
+          ports:
+            - protocol: TCP
+              port: 9000                
\ No newline at end of file
diff --git a/openshift-v4/templates/knp/knp-env-pr.yaml b/openshift-v4/templates/knp/knp-env-pr.yaml
new file mode 100644
index 000000000..f9d45882e
--- /dev/null
+++ b/openshift-v4/templates/knp/knp-env-pr.yaml
@@ -0,0 +1,395 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+  template: tfrs-network-policy
+metadata:
+  name: tfrs-network-policy
+parameters:
+  - name: SUFFIX
+    displayName: null
+    description: sample is -dev-97
+    required: true  
+  - name: ENVIRONMENT
+    displayName: null
+    description: such as dev, test or prod
+    required: true  
+objects:
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-backend-accepts-frontend${SUFFIX}
+    spec:
+      ## Allow backend to accept communication from frontend
+      podSelector:
+        matchLabels:
+          name: tfrs-backend${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-frontend${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 8080
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-backend${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from backend
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-backend${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-scan-handler${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from scan handler
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-scan-handler${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-celery${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from celery
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-celery${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-nagios
+    spec:
+      ## Allow patroni to accept communications from nagios
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app: nagios
+          ports:
+            - protocol: TCP
+              port: 5432
+            - protocol: TCP
+              port: 8008              
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-backup-container
+    spec:
+      ## Allow patroni to accept communications from backup container
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: patroni-backup
+          ports:
+            - protocol: TCP
+              port: 5432
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-patroni-itself${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from other patroni pods
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  cluster-name: patroni${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432    
+            - protocol: TCP
+              port: 8008                    
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-notification-server${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from notification server
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-notification-server${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5672    
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-backend${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from backend
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-backend${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5672               
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-scan-handler${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from scan handler
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-scan-handler${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5672            
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-scan-coordinator${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from scan coordinator
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-scan-coordinator${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5672                 
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-nagios
+    spec:
+      ## Allow rabbitmq to accept communications from nagios
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app: nagios
+          ports:
+            - protocol: TCP
+              port: 5672           
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-celery${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from celery
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-celery${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5672           
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-rabbitmq-accepts-itself${SUFFIX}
+    spec:
+      ## Allow rabbitmq to accept communications from other rabbitmq pods
+      podSelector:
+        matchLabels:
+          app: tfrs${SUFFIX}-rabbitmq-cluster
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app: tfrs${SUFFIX}-rabbitmq-cluster
+          ports:
+            - protocol: TCP
+              port: 5672                    
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-clamav-accepts-backend${SUFFIX}
+    spec:
+      ## Allow clamav to accept communications from backend
+      podSelector:
+        matchLabels:
+          name: tfrs-clamav-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-backend${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 3310                  
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-clamav-accepts-scan-coordinator${SUFFIX}
+    spec:
+      ## Allow clamav to accept communications from scan coordinator
+      podSelector:
+        matchLabels:
+          name: tfrs-clamav-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-scan-coordinator${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 3310                      
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-minio-accepts-scan-coordinator${SUFFIX}
+    spec:
+      ## Allow minio to accept communications from scan coordinator
+      podSelector:
+        matchLabels:
+          name: tfrs-minio-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-scan-coordinator${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 9000             
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-minio-accepts-celery${SUFFIX}
+    spec:
+      ## Allow minio to accept communications from celery
+      podSelector:
+        matchLabels:
+          name: tfrs-minio-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-celery${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 9000        
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-minio-accepts-backed
+    spec:
+      ## Allow minio to accept communications from celery
+      podSelector:
+        matchLabels:
+          name: tfrs-minio-${ENVIRONMENT}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-backend${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 9000                                                                                   
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-schemaspy-public${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from schemaspy-public
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-schema-spy-public${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-schemaspy-audit${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from schemaspy-audit
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  name: tfrs-schema-spy-audit${SUFFIX}
+          ports:
+            - protocol: TCP
+              port: 5432              
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-patroni-accepts-backendmid${SUFFIX}
+    spec:
+      ## Allow patroni to accept communications from backend mid lifecycle pod
+      podSelector:
+        matchLabels:
+          cluster-name: patroni${SUFFIX}
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  openshift.io/deployer-pod.type: hook-mid
+          ports:
+            - protocol: TCP
+              port: 5432
\ No newline at end of file
diff --git a/openshift-v4/templates/knp/knp-quick-start.yaml b/openshift-v4/templates/knp/knp-quick-start.yaml
new file mode 100644
index 000000000..e7a97a6b3
--- /dev/null
+++ b/openshift-v4/templates/knp/knp-quick-start.yaml
@@ -0,0 +1,60 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+  template: zeva-network-policy
+metadata:
+  name: zeva-network-policy
+parameters:
+  - name: ENVIRONMENT
+    displayName: null
+    description: such as dev, test or prod
+    required: true  
+  - name: NAMESPACE_PREFIX
+    displayName: null
+    description: the namespace prefix
+    required: true          
+objects:
+  - kind: NetworkPolicy
+    apiVersion: networking.k8s.io/v1
+    metadata:
+      name: deny-by-default
+    spec:
+      # The default posture for a security first namespace is to
+      # deny all traffic. If not added this rule will be added
+      # by Platform Services during environment cut-over.
+      podSelector: {}
+      ingress: []
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-from-openshift-ingress
+    spec:
+      # This policy allows any pod with a route & service combination
+      # to accept traffic from the OpenShift router pods. This is
+      # required for things outside of OpenShift (like the Internet)
+      # to reach your pods.
+      ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  network.openshift.io/policy-group: ingress
+      podSelector: {}
+      policyTypes:
+        - Ingress
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-all-internal
+    spec:
+      # Allow all pods within the current namespace to communicate
+      # to one another.
+      ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  environment: ${ENVIRONMENT}
+                  name: ${NAMESPACE_PREFIX}
+      podSelector: {}
+      policyTypes:
+        - Ingress
\ No newline at end of file
diff --git a/openshift-v4/templates/knp/nsp-generic.yaml b/openshift-v4/templates/knp/nsp-generic.yaml
new file mode 100644
index 000000000..1be996f06
--- /dev/null
+++ b/openshift-v4/templates/knp/nsp-generic.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: template.openshift.io/v1
+kind: Template
+labels:
+  template: quickstart-network-security-policy
+metadata:
+  name: quickstart-network-security-policy
+objects:
+  - apiVersion: security.devops.gov.bc.ca/v1alpha1
+    kind: NetworkSecurityPolicy
+    metadata:
+      name: any-to-any
+    spec:
+      description: |
+        allow all pods to communicate
+      source:
+        - - "$namespace=${NAMESPACE_PREFIX}-${ENVIRONMENT}"
+      destination:
+        - - "$namespace=*"
+  - apiVersion: security.devops.gov.bc.ca/v1alpha1
+    kind: NetworkSecurityPolicy
+    metadata:
+      name: any-to-external
+    spec:
+      description: |
+        Allow all pods to talk to external systems
+      source:
+        - - "$namespace=${NAMESPACE_PREFIX}-${ENVIRONMENT}"
+      destination:
+        - - "ext:network=any"
+parameters:
+  - name: NAMESPACE_PREFIX
+    displayName: Namespace Prefix
+    description: |
+      The prefix (a.k.a license plate) of the namespace this policy
+      is being deployed to;
+    required: true
+  - name: ENVIRONMENT
+    displayName: Environment Name
+    description: |
+      The environment (i.e dev/test/prod/tools) this policy is 
+      being deployed to.
+    required: true
\ No newline at end of file
diff --git a/openshift-v4/templates/maintenance-page/Dockerfile b/openshift-v4/templates/maintenance-page/Dockerfile
new file mode 100644
index 000000000..d55c746af
--- /dev/null
+++ b/openshift-v4/templates/maintenance-page/Dockerfile
@@ -0,0 +1,5 @@
+FROM httpd:2.4.46
+COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
+COPY ./public-html/ /usr/local/apache2/htdocs/
+RUN chgrp -R root /usr/local/apache2/logs \
+    && chmod -R g+w /usr/local/apache2/logs
\ No newline at end of file
diff --git a/openshift-v4/templates/maintenance-page/README.md b/openshift-v4/templates/maintenance-page/README.md
deleted file mode 100644
index 0098eeec4..000000000
--- a/openshift-v4/templates/maintenance-page/README.md
+++ /dev/null
@@ -1,45 +0,0 @@
-# TFRS
-
-## Maintenance Mode
-
-### Usage
-
-Maintenance-page pods serving static html are deployed to our prod, dev and test environments.  To enable maintenance mode switch the routes between the tfrs and Maintenance-page services.  A namespace (project) for deployment must be specified.
-
-Expected namespaces:
-
-* mem-tfrs-prod
-* mem-tfrs-dev
-* mem-tfrs-test
-
-1. ##### Build Maintenance Page Image
-
-    ```
-    oc project mem-tfrs-tools
-    oc process -f ./maintenance-page.bc.json | oc create -f -
-    ```
-
-2. ##### Deploy Maintenance Page Image
-
-    ```
-    oc project mem-tfrs-[ENV_NAME]
-    oc process -f ./maintenance-page.dc.json ENV_NAME=[ENV_NAME] | oc create -f - 
-    ```
-
-2. ##### Enable/Disable by Command line
-
-    Maintenance mode on.
-
-    ```
-    oc patch route dev-lowcarbonfuels-frontend -n mem-tfrs-[ENV_NAME] \
-    -p '{ "spec": { "to": { "name": "maintenance-page" },"port": { "targetPort": "2015-tcp" }}}'
-
-    ```
-
-    Maintenance mode off.
-
-    ```
-    oc patch route dev-lowcarbonfuels-frontend -n mem-tfrs-[ENV_NAME] \
-    -p '{ "spec": { "to": { "name": "client" },"port": { "targetPort": "web" }}}'
-
-    ```
diff --git a/openshift-v4/templates/maintenance-page/create-maintenance-page.sh b/openshift-v4/templates/maintenance-page/create-maintenance-page.sh
deleted file mode 100644
index 91ea63474..000000000
--- a/openshift-v4/templates/maintenance-page/create-maintenance-page.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-## tools
-oc process -f ./maintenance-page.bc.json | oc create -f -
-
-## dev
-oc process -f ./maintenance-page.dc.json ENV_NAME=dev | oc create -f - 
-
-## test
-oc process -f ./maintenance-page.dc.json ENV_NAME=test | oc create -f - 
-
-## prod
-oc process -f ./maintenance-page.dc.json ENV_NAME=prod | oc create -f - 
-
-## turn on maintenance page
-oc patch route dev-lowcarbonfuels-frontend -n mem-tfrs-[ENV_NAME] -p '{ "spec": { "to": { "name": "maintenance-page" },"port": { "targetPort": "2015-tcp" }}}'
-# turn off maintenance page
-oc patch route dev-lowcarbonfuels-frontend -n mem-tfrs-[ENV_NAME] -p '{ "spec": { "to": { "name": "client" },"port": { "targetPort": "web" }}}'
\ No newline at end of file
diff --git a/openshift-v4/templates/maintenance-page/httpd.conf b/openshift-v4/templates/maintenance-page/httpd.conf
new file mode 100644
index 000000000..4f2329508
--- /dev/null
+++ b/openshift-v4/templates/maintenance-page/httpd.conf
@@ -0,0 +1,551 @@
+#
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see 
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
+# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
+# will be interpreted as '/logs/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path.  If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used.  If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/usr/local/apache2"
+
+#
+# Mutex: Allows you to set the mutex mechanism and mutex file directory
+# for individual mutexes, or change the global defaults
+#
+# Uncomment and change the directory if mutexes are file-based and the default
+# mutex file directory is not on a local disk or is not appropriate for some
+# other reason.
+#
+# Mutex default:logs
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to 
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 8080
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+LoadModule mpm_event_module modules/mod_mpm_event.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_worker_module modules/mod_mpm_worker.so
+LoadModule authn_file_module modules/mod_authn_file.so
+#LoadModule authn_dbm_module modules/mod_authn_dbm.so
+#LoadModule authn_anon_module modules/mod_authn_anon.so
+#LoadModule authn_dbd_module modules/mod_authn_dbd.so
+#LoadModule authn_socache_module modules/mod_authn_socache.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+#LoadModule authz_dbm_module modules/mod_authz_dbm.so
+#LoadModule authz_owner_module modules/mod_authz_owner.so
+#LoadModule authz_dbd_module modules/mod_authz_dbd.so
+LoadModule authz_core_module modules/mod_authz_core.so
+#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+#LoadModule auth_form_module modules/mod_auth_form.so
+#LoadModule auth_digest_module modules/mod_auth_digest.so
+#LoadModule allowmethods_module modules/mod_allowmethods.so
+#LoadModule isapi_module modules/mod_isapi.so
+#LoadModule file_cache_module modules/mod_file_cache.so
+#LoadModule cache_module modules/mod_cache.so
+#LoadModule cache_disk_module modules/mod_cache_disk.so
+#LoadModule cache_socache_module modules/mod_cache_socache.so
+#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+#LoadModule socache_dbm_module modules/mod_socache_dbm.so
+#LoadModule socache_memcache_module modules/mod_socache_memcache.so
+#LoadModule socache_redis_module modules/mod_socache_redis.so
+#LoadModule watchdog_module modules/mod_watchdog.so
+#LoadModule macro_module modules/mod_macro.so
+#LoadModule dbd_module modules/mod_dbd.so
+#LoadModule bucketeer_module modules/mod_bucketeer.so
+#LoadModule dumpio_module modules/mod_dumpio.so
+#LoadModule echo_module modules/mod_echo.so
+#LoadModule example_hooks_module modules/mod_example_hooks.so
+#LoadModule case_filter_module modules/mod_case_filter.so
+#LoadModule case_filter_in_module modules/mod_case_filter_in.so
+#LoadModule example_ipc_module modules/mod_example_ipc.so
+#LoadModule buffer_module modules/mod_buffer.so
+#LoadModule data_module modules/mod_data.so
+#LoadModule ratelimit_module modules/mod_ratelimit.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+#LoadModule ext_filter_module modules/mod_ext_filter.so
+#LoadModule request_module modules/mod_request.so
+#LoadModule include_module modules/mod_include.so
+LoadModule filter_module modules/mod_filter.so
+#LoadModule reflector_module modules/mod_reflector.so
+#LoadModule substitute_module modules/mod_substitute.so
+#LoadModule sed_module modules/mod_sed.so
+#LoadModule charset_lite_module modules/mod_charset_lite.so
+#LoadModule deflate_module modules/mod_deflate.so
+#LoadModule xml2enc_module modules/mod_xml2enc.so
+#LoadModule proxy_html_module modules/mod_proxy_html.so
+#LoadModule brotli_module modules/mod_brotli.so
+LoadModule mime_module modules/mod_mime.so
+#LoadModule ldap_module modules/mod_ldap.so
+LoadModule log_config_module modules/mod_log_config.so
+#LoadModule log_debug_module modules/mod_log_debug.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
+#LoadModule logio_module modules/mod_logio.so
+#LoadModule lua_module modules/mod_lua.so
+LoadModule env_module modules/mod_env.so
+#LoadModule mime_magic_module modules/mod_mime_magic.so
+#LoadModule cern_meta_module modules/mod_cern_meta.so
+#LoadModule expires_module modules/mod_expires.so
+LoadModule headers_module modules/mod_headers.so
+#LoadModule ident_module modules/mod_ident.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule unique_id_module modules/mod_unique_id.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+#LoadModule remoteip_module modules/mod_remoteip.so
+#LoadModule proxy_module modules/mod_proxy.so
+#LoadModule proxy_connect_module modules/mod_proxy_connect.so
+#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+#LoadModule proxy_http_module modules/mod_proxy_http.so
+#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
+#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
+#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
+#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
+#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+#LoadModule proxy_express_module modules/mod_proxy_express.so
+#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
+#LoadModule session_module modules/mod_session.so
+#LoadModule session_cookie_module modules/mod_session_cookie.so
+#LoadModule session_crypto_module modules/mod_session_crypto.so
+#LoadModule session_dbd_module modules/mod_session_dbd.so
+#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+#LoadModule ssl_module modules/mod_ssl.so
+#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so
+#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so
+#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so
+#LoadModule optional_fn_export_module modules/mod_optional_fn_export.so
+#LoadModule dialup_module modules/mod_dialup.so
+#LoadModule http2_module modules/mod_http2.so
+#LoadModule proxy_http2_module modules/mod_proxy_http2.so
+#LoadModule md_module modules/mod_md.so
+#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
+#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
+#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
+#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
+LoadModule unixd_module modules/mod_unixd.so
+#LoadModule heartbeat_module modules/mod_heartbeat.so
+#LoadModule heartmonitor_module modules/mod_heartmonitor.so
+#LoadModule dav_module modules/mod_dav.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule asis_module modules/mod_asis.so
+#LoadModule info_module modules/mod_info.so
+#LoadModule suexec_module modules/mod_suexec.so
+<IfModule !mpm_prefork_module>
+	#LoadModule cgid_module modules/mod_cgid.so
+</IfModule>
+<IfModule mpm_prefork_module>
+	#LoadModule cgi_module modules/mod_cgi.so
+</IfModule>
+#LoadModule dav_fs_module modules/mod_dav_fs.so
+#LoadModule dav_lock_module modules/mod_dav_lock.so
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+#LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule dir_module modules/mod_dir.so
+#LoadModule imagemap_module modules/mod_imagemap.so
+#LoadModule actions_module modules/mod_actions.so
+#LoadModule speling_module modules/mod_speling.so
+#LoadModule userdir_module modules/mod_userdir.so
+LoadModule alias_module modules/mod_alias.so
+#LoadModule rewrite_module modules/mod_rewrite.so
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User daemon
+Group daemon
+
+</IfModule>
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin you@example.com
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other 
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/usr/local/apache2/htdocs"
+<Directory "/usr/local/apache2/htdocs">
+    #
+    # Possible values for the Options directive are "None", "All",
+    # or any combination of:
+    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+    #
+    # Note that "MultiViews" must be named *explicitly* --- "Options All"
+    # doesn't give it to you.
+    #
+    # The Options directive is both complicated and important.  Please see
+    # http://httpd.apache.org/docs/2.4/mod/core.html#options
+    # for more information.
+    #
+    Options Indexes FollowSymLinks
+
+    #
+    # AllowOverride controls what directives may be placed in .htaccess files.
+    # It can be "All", "None", or any combination of the keywords:
+    #   AllowOverride FileInfo AuthConfig Limit
+    #
+    AllowOverride None
+
+    #
+    # Controls who can get stuff from this server.
+    #
+    Require all granted
+</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /proc/self/fd/2
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    CustomLog /proc/self/fd/1 common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    #CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    #
+    # Redirect: Allows you to tell clients about documents that used to 
+    # exist in your server's namespace, but do not anymore. The client 
+    # will make a new request for the document at its new location.
+    # Example:
+    # Redirect permanent /foo http://www.example.com/bar
+
+    #
+    # Alias: Maps web paths into filesystem paths and is used to
+    # access content that does not live under the DocumentRoot.
+    # Example:
+    # Alias /webpath /full/filesystem/path
+    #
+    # If you include a trailing / on /webpath then the server will
+    # require it to be present in the URL.  You will also likely
+    # need to provide a <Directory> section to allow access to
+    # the filesystem path.
+
+    #
+    # ScriptAlias: This controls which directories contain server scripts. 
+    # ScriptAliases are essentially the same as Aliases, except that
+    # documents in the target directory are treated as applications and
+    # run by the server when requested rather than as documents sent to the
+    # client.  The same rules about trailing "/" apply to ScriptAlias
+    # directives as to Alias.
+    #
+    ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
+
+</IfModule>
+
+<IfModule cgid_module>
+    #
+    # ScriptSock: On threaded servers, designate the path to the UNIX
+    # socket used to communicate with the CGI daemon of mod_cgid.
+    #
+    #Scriptsock cgisock
+</IfModule>
+
+#
+# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/usr/local/apache2/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig conf/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    #AddType text/html .shtml
+    #AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type.  The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+#MIMEMagicFile conf/magic
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it, 
+# memory-mapping or the sendfile syscall may be used to deliver
+# files.  This usually improves server performance, but must
+# be turned off when serving from networked-mounted 
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+#EnableSendfile on
+
+# Supplemental configuration
+#
+# The configuration files in the conf/extra/ directory can be 
+# included to add extra features or to modify the default configuration of 
+# the server, or you may simply copy their contents here and change as 
+# necessary.
+
+# Server-pool management (MPM specific)
+#Include conf/extra/httpd-mpm.conf
+
+# Multi-language error messages
+#Include conf/extra/httpd-multilang-errordoc.conf
+
+# Fancy directory listings
+#Include conf/extra/httpd-autoindex.conf
+
+# Language settings
+#Include conf/extra/httpd-languages.conf
+
+# User home directories
+#Include conf/extra/httpd-userdir.conf
+
+# Real-time info on requests and configuration
+#Include conf/extra/httpd-info.conf
+
+# Virtual hosts
+#Include conf/extra/httpd-vhosts.conf
+
+# Local access to the Apache HTTP Server Manual
+#Include conf/extra/httpd-manual.conf
+
+# Distributed authoring and versioning (WebDAV)
+#Include conf/extra/httpd-dav.conf
+
+# Various default settings
+#Include conf/extra/httpd-default.conf
+
+# Configure mod_proxy_html to understand HTML4/XHTML1
+<IfModule proxy_html_module>
+Include conf/extra/proxy-html.conf
+</IfModule>
+
+# Secure (SSL/TLS) connections
+#Include conf/extra/httpd-ssl.conf
+#
+# Note: The following must must be present to support
+#       starting without SSL on platforms with no /dev/random equivalent
+#       but a statically compiled-in mod_ssl.
+#
+<IfModule ssl_module>
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+</IfModule>
+
diff --git a/openshift-v4/templates/maintenance-page/maintenance-page-bc.yaml b/openshift-v4/templates/maintenance-page/maintenance-bc.yaml
similarity index 81%
rename from openshift-v4/templates/maintenance-page/maintenance-page-bc.yaml
rename to openshift-v4/templates/maintenance-page/maintenance-bc.yaml
index c515e00bc..4fba18464 100644
--- a/openshift-v4/templates/maintenance-page/maintenance-page-bc.yaml
+++ b/openshift-v4/templates/maintenance-page/maintenance-bc.yaml
@@ -37,17 +37,17 @@ objects:
     runPolicy: SerialLatestOnly
     source:
       type: Git
-      contextDir: "/maintenance"
+      contextDir: "openshift-v4/templates/maintenance-page"
       git:
         uri: https://github.com/bcgov/tfrs.git
-        ref: openshift-v4-migration
+        ref: Maintenance-page
     strategy:
-      type: Source
-      sourceStrategy:
-        from:
-          kind: ImageStreamTag
-          namespace: 0ab226-tools
-          name: s2i-caddy:prod
+      dockerStrategy:
+        pullSecret:
+          name: docker-creds  
+        forcePull: true
+        noCache: true
+      type: Docker
     output:
       to:
         kind: ImageStreamTag
diff --git a/openshift-v4/templates/maintenance-page/maintenance-page-dc.yaml b/openshift-v4/templates/maintenance-page/maintenance-dc.yaml
similarity index 95%
rename from openshift-v4/templates/maintenance-page/maintenance-page-dc.yaml
rename to openshift-v4/templates/maintenance-page/maintenance-dc.yaml
index 445cfbe73..d8df7835b 100644
--- a/openshift-v4/templates/maintenance-page/maintenance-page-dc.yaml
+++ b/openshift-v4/templates/maintenance-page/maintenance-dc.yaml
@@ -55,7 +55,7 @@ objects:
         - name: maintenance-page
           image: " "
           ports:
-          - containerPort: 2015
+          - containerPort: 8080
             protocol: TCP
           resources:
             limits:
@@ -81,10 +81,10 @@ objects:
       app: maintenance-page
   spec:
     ports:
-    - name: 2015-tcp
+    - name: 8080-tcp
       protocol: TCP
-      port: 2015
-      targetPort: 2015
+      port: 8080
+      targetPort: 8080
     selector:
       app: maintenance-page
     type: ClusterIP
@@ -105,5 +105,5 @@ objects:
       name: maintenance-page
       weight: 100
     port:
-      targetPort: 2015-tcp
+      targetPort: 8080-tcp
     wildcardPolicy: None
diff --git a/maintenance/maintenance.html b/openshift-v4/templates/maintenance-page/public-html/index.html
similarity index 100%
rename from maintenance/maintenance.html
rename to openshift-v4/templates/maintenance-page/public-html/index.html
diff --git a/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-prod.cfg b/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-prod.cfg
index 97f96e5f6..998eb2b09 100644
--- a/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-prod.cfg
+++ b/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-prod.cfg
@@ -118,7 +118,7 @@ define service {
 define service {
       host_name                       tfrs-prod-rabbitmq-cluster
       service_description             Rabbitmq replica count
-      check_command                   check_replicas!0ab226-prod!tfrs-prod-rabbitmq-cluster!2
+      check_command                   check_replicas!0ab226-prod!tfrs-prod-rabbitmq-cluster!1
       check_interval                  5
       retry_interval                  1
       max_check_attempts              5
diff --git a/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-test.cfg b/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-test.cfg
index ee8fe7e1c..0fd6982b9 100644
--- a/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-test.cfg
+++ b/openshift-v4/templates/nagios/nagios3/conf.d/services-replica-test.cfg
@@ -118,7 +118,7 @@ define service {
 define service {
       host_name                       tfrs-test-rabbitmq-cluster
       service_description             Rabbitmq replica count
-      check_command                   check_replicas!0ab226-test!tfrs-test-rabbitmq-cluster!2
+      check_command                   check_replicas!0ab226-test!tfrs-test-rabbitmq-cluster!1
       check_interval                  5
       retry_interval                  1
       max_check_attempts              5
diff --git a/openshift-v4/templates/nsp/Untitled.drawio b/openshift-v4/templates/nsp/Untitled.drawio
deleted file mode 100644
index b4db87efe..000000000
--- a/openshift-v4/templates/nsp/Untitled.drawio
+++ /dev/null
@@ -1 +0,0 @@
-<mxfile host="app.diagrams.net" modified="2021-02-05T22:56:18.643Z" agent="5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" etag="_Ao6_xuydGv-drKj9xIQ" version="14.2.9" type="device"><diagram id="s7jKBaocNrS_OuQdS_DF" name="Page-1">5VpPc+IgHP00Hu0ESDQeW3W7h+1lu7Pt7o0xaLIlwSGocT/9kkpMELTZmSppvTjygBDe7/H4lx4ap8U9x8v4gUWE9qAXFT006UEYgkD+lsB2B/gDfwcseBLtIFADj8lfokBPoaskIrlWUDBGRbLUwRnLMjITGoY5Zxu92JxRvdUlXhADeJxhaqJPSSRi1a3Aq/GvJFnEVcvAUzkprgorII9xxDYNCE17aMwZE7t/aTEmtOSu4mVX78uR3P2LcZKJNhX6DyKd3pEf9y/z9GXtP03S2UMfDtTLiW3VYxJJAlSScRGzBcswndboHWerLCLlYz2Zqst8Y2wpQSDBP0SIrYomXgkmoVikVOXu2iwbOtoXBeVsxWfkRAcqTWC+IOJUR4M95VKqhKVE8K2syAnFIlnrL4KVaBb7cjWv8o+i9j9oRt6V0OyUZfXcNaYr1ZLJOqXSOUp2N3EiyOMSv3Z7I71L5w7ny52dzJOijIEic024IMVpOs3uVxV8JQPlhaCyhk3tLAMFxQ1TqbB3JwwahKU4F4QbtMk+C52fXHD2QsaMMi6RjGUlp/OE0gMI02SRyeRMciQfjO5KBhPpr7cqI02iiB4LiD4E3iEE4UEEfDMCviUC8FwRQEYE5FAhOCd9cAPCzxuHw6EwNOMwvGQcqmXKZQ1aksW3z6r+a+JXmbgJquSkaGZOtloA3sXYg5bGDnyXzh503dlHupyhxVcu6uyDU74y+sS+EgZaIJBlir2ssQCD7OswlmFLYwld+srQGCa/pz9v+2BkDhGn/oKA7i9o5NhfgMWAP9SGJmwpz5FLeYaGPMcWO3EpTB92TZjoSv121HYh59kDehlFj0xFd2wpF3RO0Z7JmUXkLjkbdI0z6DtxgSIRz43/DQ+QqdoCysQZHAD4LS0AIpcWUL2mNqv1O6ZoFL69obPtI4ZncwEnB/UdmNdA240EcLpUA0e2ErC6D+qMsg+82g9dz2/mMefH2kqAtkuvY5G5kEItay/LNOl0N4E6pk1oGbxX4br7u/Y3NQ1darp6cFPTlpN8p/uJzmkampxZFhdO9xOd48y8pxv7/Y6xFvgdW7NCyynqh5rZYdvbMej0FBua12NyR9UxdQ4CXZ0AmOoMLeoMz6ZO83T1+/6OzDbxu2RviN4e2xdlD5kz73XcMB7q+HxfLshk/XXga17jE0s0/Qc=</diagram></mxfile>
\ No newline at end of file
diff --git a/openshift-v4/templates/nsp/nsp-diagram.drawio b/openshift-v4/templates/nsp/nsp-diagram.drawio
deleted file mode 100644
index 803a9685b..000000000
--- a/openshift-v4/templates/nsp/nsp-diagram.drawio
+++ /dev/null
@@ -1 +0,0 @@
-<mxfile host="app.diagrams.net" modified="2021-02-02T21:21:43.106Z" agent="5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" etag="r5K3FpTHObiuC_gNwdoA" version="14.2.9" type="device"><diagram id="AIra0pvackN1RxZxVPas" name="Page-1">5Vxbc5s6EP41eUwGITDwmKa5dKbt9HIuSd5kkG01GLkgJ/b59UfEAowEBl8ln9POtGhZhNjdb3ellXwBb6aL+xTNJl9ohOML24oWF/DjhW0DG/j8v5yyFBTPAivKOCWRoFWEn+QfLIiWoM5JhLMaI6M0ZmRWJ4Y0SXDIajSUpvStzjaicf2tMzTGCuFniGKV+jeJ2GRF9V2roj9gMp4UbwaWuDNFBbMgZBMU0bc1Ery9gDcppWx1NV3c4DiXXiGX1XN3LXfLgaU4YX0eGDrPX+0v7o/Rt6fr39+//Hq4gdElcMXg2LL4YhxxAYgmTdmEjmmC4tuK+iGl8yTCebcWb1U8nymdcSLgxF+YsaXQJpozykkTNo3FXbwg7HHt+inv6soVrY8L0fN7YykaGUvpC76hMU3fxwnv7gL+h99RBSFkk9F5GuJNXy8MCqVjzDbwwRVfLpm1Fwgx32M6xSxdcoYUx4iR17rpIGGB45KvUhK/EHraQmcO0KEznfIvIGSIAkS/ryieizeNUpownESqYuKYe6pcAW8TwvDPGXoXyBv3lnXxomy2cl8jssjV1C7VV5wyvNgoBnEX+gLdwvleAkcI8m3NlQnSZM2LFbSDS86G/xXThedpuraj099ba/4enNzb91VZYJbG9ETohI/9sQrLefOpUFTeqNT23jJBb8A2S3GD/3Nq1VtpZuVWtmeM0oxVmW+UxqCSjA1R+GJeLuZZtVzM05yJQT2JQBlWtgkqI55cN5n6MUDgnGWSALUkCTrlD4FRCnAUL5RQRkYk5O+myWWGU+4qzPJIruSR+FRF9+zQ1+qTwLpPAh0+6Ri2756l77GD89GaGRPRvno2LDeGllZFW1eeV5+LXgWe16XwvPUNp4SLAKcbrOD06XZfKzAs3bY1G4G7Dd516u3wGYp49BslfMxlHA/sehwvw3jRxWqk4ilJ/eUwdrcIV0l9QhxjYWrGZDuelO1AV/cETMvy0DEAMegbzsxan4N6lnoaZ8Dnkbf0VbRZ+SnUO6vYW8+nz0x6A1pbfvpw++kxC2f3Q/L4/fkVfh1a46ay7BCHaM4jTr49hKYRSRDjYuKvDkOcZTjjl1OSEHo+E5gudUuqOK7+4eaQe2ldAb+wkWKRwRFBYNekp2Cho1GGj5LPDBQzykKUXNYsyOTMxgW6MxuDFgR01Cu9swyTjubZ/TZaMyNM9tWzWRN4r9m9TVASxaYtUQ+gtETd4NqCBtcWHMu1+YrwZohbVkLMkpsTtCwJ6AoJjp69EDulWKesNgY9XYhhu8gCBQYpGg4Jm/42Cwc2NA0HWvY/7jYXPcqGX+ssY2YxbGmTyXzGZwUJQyQxLXCWpxCE4Tu+ZsMHegOAAWUD0Hez+8GnBc1lA+BLvlFOmo5cNgB6Z4lbWkTTDr3TL8D2tiHDKsflB559raO3BgzL2Gz7nNCmVXOGpR7qqnaCxoRmZiUcEEgJR3GwcC3hGLhqwlHQDi43V89y1tYbuVsWwCq8bA0Raf5qAf4X7gcduyd0jrTl4TpN0XKNYZbnJFl7auM49aIDcC3JnlY9HjafsRWghjGaolfDgOrVzwTauqsFzhmV4U+5NAT6HscwBHSedNjUdqTj6B38INjM7w+C/fg9/wROQD2N0lJg1rqs3rZjTNvGb3V9BS8YTjmizZKcWxec9kM8anJoptx8qUYNtEcddddidYbf4tGC+9NSkoOYD+fDMOVX4/xK5iwPnMmMjWdAunrf8FC1yi4/VA6hq3eJUXinDq6yyNXB13t8RWYks9VLkV2dNnG3DlUBBDddtmnBIKFJjpYRiWOJhGIyTngzxqO8hxwGXF/xtSCzPAdpRFk9bTkErgY1WF06DT/wAHxHBRbwjoYstUZaabDLOoU5drEV5tPJJzYib8fXgok6U6ud1dnajbeYxXe6gxpf3/5avqHO1Fa73jZASHhom4A24+QAKLClpewWGDTEF3C8AKPWSNVtZBt11ca+0Xc28G92yvUaVodtlzd6h4Upyf+dUPqS89PuiJKFEzzlFpardzYfxiTc6hE0jwjb4yV8CsFxmG8s7P2W9kdkv9daJN8WcG0I6xWYDgA4eX/JiQEXLJ7/Wv4Y0+Vz4v45//z2x/Unt+F3ABQxh3OeTEXlPD+6zn8fjjc5orKM28DeP6Rhzh5EEYQPtti9ple3Qa0Fbc+apNu2b6noYvXdSk1S7WggdzSod9RS3Nx20WPgNA+4dVzSBx56ZbIRGeqG5v2Q0W6vp8PM7sjou+Wqbxn+NMiAwLuS1tfgjtiAA7krxSkfCB3qm4pBt45N+cxibDsihDerX9hcsVc/VApv/wU=</diagram></mxfile>
\ No newline at end of file
diff --git a/openshift-v4/templates/patroni/build.yaml b/openshift-v4/templates/patroni/build.yaml
index d04418e97..9bc097633 100644
--- a/openshift-v4/templates/patroni/build.yaml
+++ b/openshift-v4/templates/patroni/build.yaml
@@ -98,6 +98,8 @@ objects:
       type: Git
     strategy:
       dockerStrategy:
+        pullSecret:
+          name: docker-creds                 
         from:
           kind: ImageStreamTag
           name: postgres:${POSTGRES_VERSION}