Fix gitignore and missing files

Due to bad gitignore some files were missing.
Now .vault_passwords added and dirs under roles

Issue-ID: VVP-32
Change-Id: I2b9b7afe305603b37fbfe184dc36156c8461bc85
Signed-off-by: edan.binshtok <eb578m@intl.att.com>

29 files changed, 2307 insertions, 0 deletions

diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
new file mode 100644
index 0000000..3fd9055
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/haproxy-cfg-configmap.yaml.j2
@@ -0,0 +1,198 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ext-haproxy-cfg
+  namespace: default
+data:
+  file: |
+   resolvers dns
+       nameserver pod_dns "10.3.0.10:53"
+       resolve_retries    3
+       timeout retry      1s
+       hold valid         30s
+
+   defaults
+       mode http
+       timeout connect 5000ms
+       timeout client 50000ms
+       timeout server 50000ms
+       option httpclose
+       option redispatch
+       option abortonclose
+       option httplog
+       option dontlognull
+       default-server init-addr last,libc,none
+
+   backend gitlab_ssh
+       mode tcp
+       option tcplog
+       timeout server 2h
+       server gitlabssh gitlab:22 resolvers dns
+
+   frontend gitlab_ssh_frontend
+       mode tcp
+       option tcplog
+       timeout client 2h
+       bind 0.0.0.0:22
+       acl is_ssh dst_port 22
+       use_backend gitlab_ssh if is_ssh
+
+   backend portal_backend
+       mode http
+       server ice_portal portal:8181 resolvers dns
+
+   backend api
+       mode http
+       server engagement_manager em:80 resolvers dns
+
+   backend s3
+       mode http
+       balance roundrobin
+       option httpchk HEAD /
+{% for host in rgws %}
+       server {{ host['name'] }} {{ host['ip'] }}:{{ hostvars[host['name']]['radosgw_civetweb_port'] }} check inter 10000ms
+{% endfor %}
+
+   frontend portal
+       mode http
+       redirect scheme https if !{ ssl_fc }
+       acl is_api_call path_beg -i /ice
+       acl is_s3       hdr_beg(host) s3.  staging-s3.  dev-s3.
+       use_backend api if is_api_call
+       use_backend s3 if is_s3
+       bind 0.0.0.0:80
+       bind 0.0.0.0:443 ssl crt /etc/haproxy/site.pem force-tlsv12
+       default_backend portal_backend
+
+   listen stats
+       bind 0.0.0.0:9001
+       mode http
+       stats enable  # Enable stats page
+       stats realm Haproxy\ Statistics
+       stats uri /haproxy_stats
+       stats auth "${HAPROXY_USER}:${HAPROXY_PASS}"
+       acl network_allowed src 10.252.0.0/16 127.0.0.1/32 10.2.0.0/16
+       http-request deny if !network_allowed
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: int-haproxy-cfg
+  namespace: default
+data:
+  file: |
+   resolvers dns
+       nameserver pod_dns "10.3.0.10:53"
+       resolve_retries    3
+       timeout retry      1s
+       hold valid         30s
+
+   defaults
+       mode http
+       timeout connect 5000ms
+       timeout client 50000ms
+       timeout server 50000ms
+       option httpclose
+       option redispatch
+       option abortonclose
+       option httplog
+       option dontlognull
+       default-server init-addr last,libc,none
+
+   backend gitlab_web_backend
+       mode http
+       server gitlab_web_1 gitlab:80 resolvers dns
+
+   frontend gitlab_web
+       mode http
+       bind 0.0.0.0:80
+
+       acl is_scanner  path_beg /imagescanner
+       acl is_em_admin hdr_beg(host) em.  staging-em.  dev-em.
+       acl is_cms      hdr_beg(host) cms. staging-cms. dev-cms.
+       acl is_ci_admin hdr_beg(host)      staging-ci.  dev-ci.
+       acl is_s3       hdr_beg(host) s3.  staging-s3.  dev-s3.
+
+       use_backend imagescanner if is_em_admin is_scanner
+       use_backend cms if is_cms
+       use_backend api if is_em_admin
+       use_backend ci  if is_ci_admin
+       use_backend s3  if is_s3
+
+       default_backend gitlab_web_backend
+
+   backend s3
+       mode http
+       balance roundrobin
+{% for host in rgws %}
+       server {{ host['name'] }} {{ host['ip'] }}:{{ hostvars[host['name']]['radosgw_civetweb_port'] }}
+{% endfor %}
+
+   backend cms
+     mode http
+     server cms_server cms:80 resolvers dns
+
+   backend api
+       mode http
+       server engagement_manager em:80 resolvers dns
+
+   backend ci
+       mode http
+       server ci_test ci:8282 resolvers dns
+
+   listen jenkins
+       bind 0.0.0.0:8080
+       server jenkins jenkins:8080 resolvers dns
+
+   backend imagescanner
+       mode http
+       server imagescanner imagescanner:80 resolvers dns
+
+   listen stats
+       bind 0.0.0.0:9000
+       mode http
+       stats enable  # Enable stats page
+       stats realm Haproxy\ Statistics
+       stats uri /haproxy_stats
+       stats auth "${HAPROXY_USER}:${HAPROXY_PASS}"
+       acl network_allowed src 10.252.0.0/16 127.0.0.1/32 10.2.0.0/16
+       block if !network_allowed
diff --git a/ansible/roles/ansible-vvp-templates/templates/configmaps/s3provision-configmap.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/configmaps/s3provision-configmap.yaml.j2
new file mode 100644
index 0000000..6e30492
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/configmaps/s3provision-configmap.yaml.j2
@@ -0,0 +1,86 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: s3provision
+  namespace: default
+data:
+  s3cmd.cfg: |
+    [default]
+    access_key = {{ vault_aws_access_key_id }}
+    host_base = {{ rgws[0]['ip'] }}:{{ hostvars[rgws[0]['name']]['radosgw_civetweb_port'] }}
+    host_bucket = 
+    secret_key = {{ vault_aws_secret_access_key }}
+    use_https = False
+    verbosity = INFO
+  corsconf.xml: |
+    <CORSConfiguration>
+    <CORSRule>
+        <ID>Allow GET and HEAD from our domain.</ID>
+        <AllowedOrigin>https://{{ domain }}</AllowedOrigin>
+        <AllowedOrigin>http://{{ cms_dns_name }}</AllowedOrigin>
+        <AllowedOrigin>http://{{ em_domain_name }}</AllowedOrigin>
+        <AllowedMethod>GET</AllowedMethod>
+        <AllowedMethod>HEAD</AllowedMethod>
+        <AllowedHeader>Content-*</AllowedHeader>
+        <AllowedHeader>Host</AllowedHeader>
+        <ExposeHeader>ETag</ExposeHeader>
+        <MaxAgeSeconds>1800</MaxAgeSeconds>
+    </CORSRule>
+    </CORSConfiguration>
+  entrypoint.sh: |
+    #!/bin/sh
+    set -ex
+    echo Running $0 ...
+    s3cmd="s3cmd -c /opt/configmaps/s3provision/s3cmd.cfg"
+    corsconf="/opt/configmaps/s3provision/corsconf.xml"
+
+    pip install s3cmd
+
+    for bucket in em-static cms-static em-media cms-media; do
+      $s3cmd mb s3://$bucket
+    done
+
+    for bucket in em-static cms-static; do
+      $s3cmd setcors $corsconf s3://$bucket
+    done
+
+    echo $0 complete.
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
new file mode 100644
index 0000000..6771b1f
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-gitlab-deployment.yaml.j2
@@ -0,0 +1,108 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: gitlab
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: gitlab
+    spec:
+      containers:
+      - name: gitlab
+        image: {{container_uri}}rkt-gitlab:{{container_tag}}
+        ports:
+        - containerPort: 80
+        - containerPort: 22
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /var/opt/gitlab
+          name: gitlab
+          subPath: var/opt/gitlab
+        - mountPath: /etc/gitlab
+          name: gitlab
+          subPath: etc/gitlab
+        - mountPath: /var/log/gitlab
+          name: gitlab
+          subPath: var/log/gitlab
+        - mountPath: /tmp/deploykey
+          name: jenkins-deploykey
+        env:
+        - name: ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: gitlab-password
+              key: password
+        - name: AUTHENTICATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: gitlab-password
+              key: auth-token
+        - name: EXTERNAL_URL
+          value: "http://{{git_dns_name}}"
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: {{livenessProbe_initialDelaySeconds.gitlab | default(120)}}
+          periodSeconds: 15
+{% endif %}
+      volumes:
+      - name: gitlab
+        rbd:
+          monitors:
+{% for ip in mon_ips  %}
+          - "{{ ip }}"
+{% endfor %}
+          pool: rbd
+          image: gitlab
+          user: admin
+          secretRef:
+            name: "ceph-secret"
+          fsType: xfs
+          readOnly: false
+      - name: jenkins-deploykey
+        secret:
+          secretName: jenkins-deploykey
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
new file mode 100644
index 0000000..e78bfc9
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-postgresql-deployment.yaml.j2
@@ -0,0 +1,108 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: postgresql
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: postgresql
+    spec:
+      containers:
+      - name: postgresql
+        image: {{container_uri}}rkt-postgresql:{{container_tag}}
+        ports:
+        - containerPort: 5432
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgresql-data
+        - mountPath: /etc/postgresql/conf.d/
+          name: postgresql-conf
+        - mountPath: /docker-entrypoint-initdb.d/
+          name: postgresql-initdb
+        env:
+        - name: POSTGRES_DB
+          value: icedb
+        - name: ICE_CMS_DB_NAME
+          value: icecmsdb
+        - name: POSTGRES_USER
+          value: {{vault_em_postgresql_user}}
+        - name: ICE_CMS_DB_USER
+          value: {{vault_cms_postgresql_user}}
+        - name: ICE_CMS_DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgresql-passwords
+              key: cmsPassword
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgresql-passwords
+              key: emPassword
+{% if enable_liveness_probes %}
+        livenessProbe:
+          timeoutSeconds: 1
+          initialDelaySeconds: {{livenessProbe_initialDelaySeconds.postgresql | default(120)}}
+          tcpSocket:
+            port: 5432
+{% endif %}
+      volumes:
+      - name: postgresql-data
+        rbd:
+          monitors:
+{% for ip in mon_ips  %}
+          - "{{ ip }}"
+{% endfor %}
+          pool: rbd
+          image: em_postgresql
+          user: admin
+          secretRef:
+            name: "ceph-secret"
+          fsType: xfs
+          readOnly: false
+      - name: postgresql-conf
+        configMap:
+          name: postgresql-conf
+      - name: postgresql-initdb
+        configMap:
+          name: postgresql-initdb
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/10-redis.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/10-redis.yaml.j2
new file mode 100644
index 0000000..523504a
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/10-redis.yaml.j2
@@ -0,0 +1,55 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: redis
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: redis
+    spec:
+      containers:
+      - name: redis
+        image: redis:alpine
+        ports:
+        - containerPort: 6379
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
new file mode 100644
index 0000000..98a04b5
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-ci-uwsgi-deployment.yaml.j2
@@ -0,0 +1,165 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+{% if ice_environment != 'production' %}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: ci-uwsgi
+spec:
+  template:
+    spec:
+      volumes:
+      - name: ci-settings
+        configMap:
+          name: ci-settings
+      - name: site-crt
+        secret:
+          secretName: site-crt
+{% if devenv is defined %}
+      - name: ci-rsync
+        hostPath:
+          path: /var/devenv/ice-ci/
+{% endif %}
+      containers:
+      - name: ci-uwsgi
+        image: {{container_uri}}rkt-ice-ci:{{container_tag}}
+        ports:
+        - containerPort: 80
+        - containerPort: 8282
+        - containerPort: 9000
+        volumeMounts:
+        - name: ci-settings
+          mountPath: /opt/configmaps/settings/
+        - name: site-crt
+          mountPath: /opt/secrets/site-crt/
+{% if devenv is defined %}
+        - name: ci-rsync
+          mountPath: /app
+{% endif %}
+        env:
+        - name: ICE_ENVIRONMENT
+          value: "{{ice_environment}}"
+        - name: PROGRAM_NAME_URL_PREFIX
+          value: "ice"
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: key}
+        - name: EM_DB_HOST
+          value: postgresql
+        - name: EM_DB_PORT
+          value: "5432"
+        - name: EM_DB_NAME
+          value: icedb
+        - name: EM_DB_USER
+          value: "{{vault_em_postgresql_user}}"
+        - name: EM_DB_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: postgresql-passwords, key: emPassword}
+        - name: CMS_DB_HOST
+          value: postgresql
+        - name: CMS_DB_PORT
+          value: "5432"
+        - name: CMS_DB_NAME
+          value: "{{cms_postgresql_db|default('icecmsdb')}}"
+        - name: CMS_DB_USER
+          value: "{{vault_cms_postgresql_user}}"
+        - name: CMS_DB_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: postgresql-passwords, key: cmsPassword}
+        - name: CI_DB_HOST
+          value: postgresql
+        - name: CI_DB_PORT
+          value: "5432"
+        - name: CI_DB_NAME
+          value: icedb
+        - name: CI_DB_USER
+          value: "{{vault_em_postgresql_user}}"
+        - name: CI_DB_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: postgresql-passwords, key: ciPassword}
+        - name: STATIC_ROOT
+          value: "/app/htdocs"
+        - name: ICE_CONTACT_FROM_ADDRESS
+          value: "{{vault_email_host_user}}"
+        - name: SECRET_WEBHOOK_TOKEN
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: em_webhook_token}
+        - name: SECRET_GITLAB_AUTH_TOKEN
+          valueFrom:
+            secretKeyRef: {name: gitlab-password, key: auth-token}
+        - name: SECRET_JENKINS_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: jenkins_admin_password}
+        - name: ICE_DOMAIN
+          value: https://{{domain}}
+        - name: ICE_EM_DOMAIN_NAME
+          value: https://{{em_domain_name}}
+        - name: OAUTHLIB_INSECURE_TRANSPORT
+          value: "1"
+        - name: CI_ADMIN_USER
+          value: "{{vault_ci_admin_user}}"
+        - name: CI_ADMIN_MAIL
+          value: "{{vault_ci_admin_mail}}"
+        - name: CI_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: ci-secret, key: admin_password}
+        - name: S3_HOST
+          value: "{{s3_dns_name}}"
+        - name: S3_PORT
+          value: "443"
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_access_key_id}
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_secret_access_key}
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 9000
+          initialDelaySeconds: 90
+          periodSeconds: 15
+{% endif %}
+        command: ["/app/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", "--static-map", "/static=/app/htdocs" {% if devenv is defined %}, "--py-auto-reload" , "3"{% endif %}]
+    metadata:
+      labels:
+        run: ci-uwsgi
+{% endif %}
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
new file mode 100644
index 0000000..8b601e9
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-cms-uwsgi-deployment.yaml.j2
@@ -0,0 +1,146 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: cms-uwsgi
+spec:
+  template:
+    spec:
+      containers:
+      - name: cms-uwsgi
+        image: {{container_uri}}rkt-ice-cms:{{container_tag}}
+        ports:
+        - containerPort: 80
+        - containerPort: 9000
+        env:
+        - name: ENVIRONMENT
+          value: "{{ice_environment}}"
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: key}
+        - name: EMAIL_HOST
+          value: "{{vault_email_host}}"
+        - name: EMAIL_HOST_USER
+          value: "{{vault_email_host_user}}"
+        - name: EMAIL_PORT
+          value: "{{email_port|default(25)}}"
+        - name: EMAIL_HOST_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: email-secret, key: password}
+        - name: PGHOST
+          value: postgresql
+        - name: PGPORT
+          value: "5432"
+        - name: PGDATABASE
+          value: "{{cms_postgresql_db|default('icecmsdb')}}"
+        - name: PGUSER
+          value: "{{vault_cms_postgresql_user}}"
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef: {name: postgresql-passwords, key: cmsPassword}
+        - name: ICE_CONTACT_FROM_ADDRESS
+          value: "{{vault_email_host_user}}"
+        - name: CMS_NEVERCACHE_KEY
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: nevercache_key}
+        - name: CMS_APP_USER
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: app_user}
+        - name: CMS_APP_USER_MAIL
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: app_user_mail}
+        - name: CMS_APP_USER_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: app_user_password}
+        - name: CMS_APP_CLIENT_ID
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: app_client_id}
+        - name: CMS_APP_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef: {name: cms-secret, key: app_client_secret}
+        - name: STATIC_ROOT
+          value: "/app/htdocs"
+        - name: DJANGO_DEBUG_MODE
+          value: "{{django_debug_mode}}"
+        - name: S3_HOST
+          value: "{{s3_dns_name}}"
+        - name: S3_PORT
+          value: "443"
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_access_key_id}
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_secret_access_key}
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 9000
+          initialDelaySeconds: 30
+          periodSeconds: 15
+          timeoutSeconds: 10
+{% endif %}
+        command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"]
+        volumeMounts:
+        - name: settings
+          mountPath: /opt/configmaps/settings/
+        - name: site-crt
+          mountPath: /opt/secrets/site-crt/
+{% if devenv is defined %}
+        - name: cms-rsync
+          mountPath: /srv
+{% endif %}
+      volumes:
+      - name: settings
+        configMap:
+          name: cms-settings
+      - name: site-crt
+        secret:
+          secretName: site-crt
+{% if devenv is defined %}
+      - name: cms-rsync
+        hostPath:
+          path: /var/devenv/rkt-ice-cms/django
+{% endif %}
+    metadata:
+      labels:
+        run: cms-uwsgi
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
new file mode 100644
index 0000000..8cedd29
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-em-uwsgi-deployment.yaml.j2
@@ -0,0 +1,162 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: em-uwsgi
+spec:
+  template:
+    spec:
+      volumes:
+{% if devenv is defined %}
+      - name: em-rsync
+        hostPath:
+          path: /var/devenv/rkt-ice-engagementmgr/django
+{% endif %}
+      - name: site-crt
+        secret:
+          secretName: site-crt
+      - name: em-settings
+        configMap:
+          name: em-settings
+      containers:
+      - name: em-uwsgi
+        image: {{container_uri}}rkt-engagementmgr:{{container_tag}}
+        ports:
+        - containerPort: 80
+        - containerPort: 9000
+        volumeMounts:
+{% if devenv is defined %}
+        - name: em-rsync
+          mountPath: /srv
+{% endif %}
+        - name: em-settings
+          mountPath: /opt/configmaps/settings/ 
+        - name: site-crt
+          mountPath: /opt/secrets/site-crt/
+        env:
+        - name: ENVIRONMENT
+          value: "{{ice_environment}}"
+        - name: PROGRAM_NAME_URL_PREFIX
+          value: "ice"
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: key}
+        - name: EMAIL_HOST
+          value: "{{vault_email_host}}"
+        - name: EMAIL_HOST_USER
+          value: "{{vault_email_host_user}}"
+        - name: EMAIL_PORT
+          value: "{{email_port|default(25)}}"
+        - name: EMAIL_HOST_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: email-secret, key: password}
+        - name: PGHOST
+          value: postgresql
+        - name: PGPORT
+          value: "5432"
+        - name: PGDATABASE
+          value: icedb
+        - name: PGUSER
+          value: "{{vault_em_postgresql_user}}"
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef: {name: postgresql-passwords, key: emPassword}
+        - name: DOMAIN
+          value: https://{{domain}}
+        - name: ICE_EM_DOMAIN_NAME
+          value: https://{{em_domain_name}}
+        - name: CONTACT_FROM_ADDRESS
+          value: "{{vault_email_host_user}}"
+        - name: OAUTHLIB_INSECURE_TRANSPORT
+          value: "1"
+        - name: SECRET_WEBHOOK_TOKEN
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: em_webhook_token}
+        - name: SECRET_GITLAB_AUTH_TOKEN
+          valueFrom:
+            secretKeyRef: {name: gitlab-password, key: auth-token}
+        - name: SECRET_JENKINS_PASSWORD
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: jenkins_admin_password}
+        - name: SECRET_CMS_APP_CLIENT_ID
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: cms_app_client_id}
+        - name: SECRET_CMS_APP_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: cms_app_client_secret}
+        - name: STATIC_ROOT
+          value: "/app/htdocs"
+        - name: DJANGO_DEBUG_MODE
+          value: "{{django_debug_mode}}"
+        - name: SLACK_API_TOKEN
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: slack_api_token}
+        - name: ENGAGEMENTS_CHANNEL
+          value: "{{engagements_channel | default('')}}"
+        - name: ENGAGEMENTS_NOTIFICATIONS_CHANNEL
+          value: "{{engagements_notifications_channel | default('')}}"
+        - name: DEVOPS_CHANNEL
+          value: "{{devops_channel | default('')}}"
+        - name: DEVOPS_NOTIFICATIONS_CHANNEL
+          value: "{{devops_notifications_channel | default('')}}"
+        - name: S3_HOST
+          value: "{{s3_dns_name}}"
+        - name: S3_PORT
+          value: "443"
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_access_key_id}
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef: {name: em-secret, key: aws_secret_access_key}
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 9000
+          initialDelaySeconds: {{livenessProbe_initialDelaySeconds.em | default(90)}}
+          periodSeconds: 15
+          timeoutSeconds: 10
+{% endif %}
+        command: ["/docker-entrypoint.sh", "/usr/local/bin/uwsgi", "--ini", "/opt/configmaps/settings/uwsgi.ini", {% if devenv is defined %}"--py-auto-reload" , "3",{% endif %}"--static-map", "/static=/app/htdocs"]
+    metadata:
+      labels:
+        run: em-uwsgi
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
new file mode 100644
index 0000000..775d341
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-imagescanner.yaml.j2
@@ -0,0 +1,107 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: imagescanner
+spec:
+  template:
+    spec:
+
+      containers:
+      - name: imagescanner-worker
+        image: {{container_uri}}ice-image-scanner:{{container_tag}}
+        command: ["/usr/local/bin/imagescanner-worker"]
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: imagescanner-ssh
+          mountPath: /root/.ssh
+        - name: dev
+          mountPath: /dev
+        - name: logs
+          mountPath: /var/log/imagescanner
+
+      - name: notifications-worker
+        image: {{container_uri}}ice-image-scanner:{{container_tag}}
+        command: ["/usr/local/bin/notifications-worker"]
+        securityContext:
+          privileged: true
+        env:
+        - name: SLACK_TOKEN
+          valueFrom:
+            secretKeyRef: {name: slack-tokens, key: notifications}
+        - name: DOMAIN
+          value: "{{em_internal_dns_name}}"
+
+      - name: imagescanner-frontend
+        image: {{container_uri}}ice-image-scanner:{{container_tag}}
+        command: ["/usr/local/bin/imagescanner-frontend"]
+        {#
+            FIXME: No, the frontend does not require a privileged container.
+            However, it seems that if you run the frontend container without
+            this specification in the same pod as the worker, then the worker
+            loses its privileges!
+        -#}
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: logs
+          mountPath: /var/log/imagescanner
+        env:
+        - name: DEFAULT_SLACK_CHANNEL
+          value: "#notifications"
+
+      volumes:
+      - name: imagescanner-ssh
+        secret:
+          secretName: imagescanner-ssh
+          defaultMode: 0600
+      - name: dev
+        hostPath:
+          path: /dev
+      - name: logs
+        emptyDir: {}
+
+    metadata:
+      labels:
+        run: imagescanner
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
new file mode 100644
index 0000000..61504f1
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/20-jenkins-deployment.yaml.j2
@@ -0,0 +1,89 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: jenkins
+spec:
+  template:
+    spec:
+      containers:
+      - name: jenkins
+        image: {{container_uri}}rkt-jenkins:{{container_tag}}
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: jenkins-home
+          mountPath: /var/jenkins_home
+        - name: jenkins-users-admin
+          mountPath: /var/jenkins_home/users/admin
+        - name: jenkins-ssh
+          mountPath: /var/jenkins_home/.ssh
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /robots.txt
+            port: 8080
+          initialDelaySeconds: 120
+          periodSeconds: 15
+{% endif %}
+      volumes:
+      - name: jenkins-home
+        rbd:
+          monitors:
+{% for ip in mon_ips %}
+          - "{{ ip }}"
+{% endfor %}
+          pool: rbd
+          image: jenkins
+          user: admin
+          secretRef:
+            name: "ceph-secret"
+          fsType: xfs
+          readOnly: false
+      - name: jenkins-users-admin
+        secret:
+          secretName: jenkins-users-admin
+      - name: jenkins-ssh
+        secret:
+          secretName: jenkins-ssh
+    metadata:
+      labels:
+        run: jenkins
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
new file mode 100644
index 0000000..f3505e5
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/30-portal-deployment.yaml.j2
@@ -0,0 +1,70 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: portal
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: portal
+    spec:
+      containers:
+      - name: portal
+        image: {{container_uri}}rkt-ice-portal:{{container_tag}}
+        ports:
+        - containerPort: 8181
+        command: ["nginx", "-g", "daemon off;", "-c", "/tmp/nginx.conf"]
+        volumeMounts:
+        - mountPath: /tmp/
+          name: portal-nginx-config
+{% if devenv is defined %}
+        - name: portal-rsync
+          mountPath: /usr/share/nginx/html
+{% endif %}
+      volumes:
+      - name: portal-nginx-config
+        configMap:
+          name: portal-nginx-config
+          items:
+          - key: file
+            path: nginx.conf
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/40-ext-haproxy-deployment.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/40-ext-haproxy-deployment.yaml.j2
new file mode 100644
index 0000000..729f98c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/40-ext-haproxy-deployment.yaml.j2
@@ -0,0 +1,95 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: ext-haproxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: ext-haproxy
+    spec:
+      containers:
+      - name: ext-haproxy
+        image: haproxy:1.7.2-alpine
+        ports:
+        - containerPort: 80
+        - containerPort: 22
+        - containerPort: 443
+        - containerPort: 9001
+        env:
+        - name: HAPROXY_USER
+          valueFrom:
+            secretKeyRef:
+              name: haproxy-auth
+              key: user
+        - name: HAPROXY_PASS
+          valueFrom:
+            secretKeyRef:
+              name: haproxy-auth
+              key: pass
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /haproxy_stats
+            port: 9001
+            httpHeaders:
+            - name: Authorization
+              value: Basic {{(vault_haproxy_user+":"+vault_haproxy_pass)|b64encode}}
+          initialDelaySeconds: 15
+          periodSeconds: 15
+{% endif %}
+        volumeMounts:
+        - mountPath: /usr/local/etc/haproxy/
+          name: ext-haproxy-cfg
+        - mountPath: /etc/haproxy/
+          name: site-pem
+      volumes:
+      - name: ext-haproxy-cfg
+        configMap:
+          name: ext-haproxy-cfg
+          items:
+          - key: file
+            path: haproxy.cfg
+      - name: site-pem
+        secret:
+          secretName: site-pem
diff --git a/ansible/roles/ansible-vvp-templates/templates/deployments/40-int-haproxy-deployments.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/deployments/40-int-haproxy-deployments.yaml.j2
new file mode 100644
index 0000000..bc23c01
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/deployments/40-int-haproxy-deployments.yaml.j2
@@ -0,0 +1,89 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: int-haproxy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: int-haproxy
+    spec:
+      containers:
+      - name: int-haproxy
+        image: haproxy:1.7.2-alpine
+        ports:
+        - containerPort: 80
+        - containerPort: 8080
+        - containerPort: 9000
+        env:
+        - name: HAPROXY_USER
+          valueFrom:
+            secretKeyRef:
+              name: haproxy-auth
+              key: user
+        - name: HAPROXY_PASS
+          valueFrom:
+            secretKeyRef:
+              name: haproxy-auth
+              key: pass
+{% if enable_liveness_probes %}
+        livenessProbe:
+          httpGet:
+            path: /haproxy_stats
+            port: 9000
+            httpHeaders:
+            - name: Authorization
+              value: Basic {{(vault_haproxy_user+":"+vault_haproxy_pass)|b64encode}}
+          initialDelaySeconds: 15
+          periodSeconds: 15
+{% endif %}
+        volumeMounts:
+        - mountPath: /usr/local/etc/haproxy/
+          name: int-haproxy-cfg
+      volumes:
+      - name: int-haproxy-cfg
+        configMap:
+          name: int-haproxy-cfg
+          items:
+          - key: file
+            path: haproxy.cfg
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/ceph-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/ceph-secret.yaml.j2
new file mode 100644
index 0000000..a0480ec
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/ceph-secret.yaml.j2
@@ -0,0 +1,46 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ceph-secret
+type: "kubernetes.io/rbd"
+data:
+  key: "{{ ceph_key | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/ci-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/ci-secret.yaml.j2
new file mode 100644
index 0000000..dae5191
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/ci-secret.yaml.j2
@@ -0,0 +1,48 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+{% if ice_environment != 'production' %}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ci-secret
+type: Opaque
+data:
+  admin_password: "{{vault_ci_admin_password | b64encode}}"
+{% endif %}
\ No newline at end of file
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/cms-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/cms-secret.yaml.j2
new file mode 100644
index 0000000..38c528c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/cms-secret.yaml.j2
@@ -0,0 +1,52 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cms-secret
+type: Opaque
+data:
+  key: "{{ vault_cms_secret_key | b64encode }}"
+  app_user: "{{vault_cms_app_user | b64encode}}"
+  app_user_mail: "{{vault_cms_app_user_mail | b64encode}}"
+  app_user_password: "{{vault_cms_app_user_password | b64encode}}"
+  app_client_id: "{{vault_cms_app_client_id | b64encode}}"
+  app_client_secret: "{{vault_cms_app_client_secret | b64encode}}"
+  nevercache_key: "{{vault_cms_nevercache_key | b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/em-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/em-secret.yaml.j2
new file mode 100644
index 0000000..56cbb30
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/em-secret.yaml.j2
@@ -0,0 +1,54 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: em-secret
+type: Opaque
+data:
+  key: "{{ vault_em_secret_key | b64encode }}"
+  em_webhook_token: "{{ vault_engagementmgr_webhook_token | b64encode }}"
+  gitlab_admin_password: "{{ vault_gitlab_admin_password | b64encode }}"
+  jenkins_admin_password: "{{ vault_jenkins_admin_password | b64encode }}"
+  cms_app_client_id: "{{vault_cms_app_client_id | b64encode}}"
+  cms_app_client_secret: "{{vault_cms_app_client_secret | b64encode}}"
+  slack_api_token: "{{( vault_slack_api_token | default('') ) | b64encode}}"
+  aws_access_key_id: "{{ vault_aws_access_key_id | b64encode }}"
+  aws_secret_access_key: "{{ vault_aws_secret_access_key | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
new file mode 100644
index 0000000..29d1319
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/email-secret.yaml.j2
@@ -0,0 +1,46 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: email-secret
+type: Opaque
+data:
+  password: "{{vault_email_host_password | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/gitlab-password-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/gitlab-password-secret.yaml.j2
new file mode 100644
index 0000000..3621b45
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/gitlab-password-secret.yaml.j2
@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-password
+type: Opaque
+data:
+  password: "{{ vault_gitlab_admin_password | b64encode }}"
+  auth-token: "{{ vault_gitlab_authentication_token | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/haproxy-auth-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/haproxy-auth-secret.yaml.j2
new file mode 100644
index 0000000..c1a8fe1
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/haproxy-auth-secret.yaml.j2
@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: haproxy-auth
+type: Opaque
+data:
+  user: "{{ vault_haproxy_user | b64encode }}"
+  pass: "{{ vault_haproxy_pass | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/imagescanner-ssh-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/imagescanner-ssh-secret.yaml.j2
new file mode 100644
index 0000000..0028baf
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/imagescanner-ssh-secret.yaml.j2
@@ -0,0 +1,50 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: imagescanner-ssh
+  namespace: default
+type: Opaque
+data:
+  # FIXME the imagescanner really should have its own private key, but then we
+  # have to adjust the gitlab wrapper script to set two public keys as
+  # deploykeys.
+  id_ed25519: "{{vault_jenkins_deploy_key|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-admin-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-admin-secret.yaml.j2
new file mode 100644
index 0000000..c44d898
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-admin-secret.yaml.j2
@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: jenkins-users-admin
+  namespace: default
+type: Opaque
+data:
+  config.xml: "{{jenkins_admin_config_xml|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-deploykey-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-deploykey-secret.yaml.j2
new file mode 100644
index 0000000..4dee827
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-deploykey-secret.yaml.j2
@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: jenkins-deploykey
+  namespace: default
+type: Opaque
+data:
+  deploykey.pub: "{{vault_jenkins_deploy_key_pub|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-ssh-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-ssh-secret.yaml.j2
new file mode 100644
index 0000000..633e1ae
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/jenkins-ssh-secret.yaml.j2
@@ -0,0 +1,51 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: jenkins-ssh
+  namespace: default
+type: Opaque
+data:
+  # .ssh/config isn't really a secret, but it's the easiest way to get it into
+  # the same directory as the key
+  config: >
+    SG9zdCAqClVzZXJLbm93bkhvc3RzRmlsZSAvZGV2L251bGwKU3RyaWN0SG9zdEtleUNoZWNraW5nIG5vCklkZW50aXR5RmlsZSAiL3Zhci9qZW5raW5zX2hvbWUvLnNzaC9pZF9lZDI1NTE5Igo=
+  id_ed25519: "{{vault_jenkins_deploy_key|b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/postgresql-passwords-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/postgresql-passwords-secret.yaml.j2
new file mode 100644
index 0000000..03f1d9e
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/postgresql-passwords-secret.yaml.j2
@@ -0,0 +1,50 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-passwords
+type: Opaque
+data:
+  emPassword: "{{ vault_em_postgresql_password | b64encode }}"
+  cmsPassword: "{{vault_cms_postgresql_password | b64encode}}"
+{% if ice_environment != 'production' %}
+  ciPassword: "{{vault_ci_postgresql_password | b64encode}}"
+{% endif %}
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
new file mode 100644
index 0000000..f529dcf
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-crt-secret.yaml.j2
@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: site-crt
+type: Opaque
+data:
+  # the public part of the certificate, not actually a secret.
+  site.crt: "{{ site_pem_cert | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
new file mode 100644
index 0000000..d045770
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/site-pem-secret.yaml.j2
@@ -0,0 +1,46 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: site-pem
+type: Opaque
+data:
+  site.pem: "{{ site_pem | b64encode }}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/secrets/slack-tokens-secret.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/secrets/slack-tokens-secret.yaml.j2
new file mode 100644
index 0000000..ae9f29d
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/secrets/slack-tokens-secret.yaml.j2
@@ -0,0 +1,46 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: slack-tokens
+type: Opaque
+data:
+  notifications: "{{( vault_slack_tokens.notifications | default('') ) | b64encode}}"
diff --git a/ansible/roles/ansible-vvp-templates/templates/services/haproxy-service.yaml.j2 b/ansible/roles/ansible-vvp-templates/templates/services/haproxy-service.yaml.j2
new file mode 100644
index 0000000..a1b6cd4
--- /dev/null
+++ b/ansible/roles/ansible-vvp-templates/templates/services/haproxy-service.yaml.j2
@@ -0,0 +1,105 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ext-haproxy
+  labels:
+    run: ext-haproxy
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    name: web
+  - port: 443
+    protocol: TCP
+    name: ssl
+  - port: 22
+    protocol: TCP
+    name: ssh
+  - port: 9000
+    protocol: TCP
+    name: stats
+  externalIPs:
+{% for ip in external_ips %}
+  - "{{ ip }}"
+{% endfor %}
+  selector:
+    run: ext-haproxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: int-haproxy
+  labels:
+    run: int-haproxy
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    name: web
+  - port: 8080
+    protocol: TCP
+    name: jenkins
+  - port: 9000
+    protocol: TCP
+    name: stats
+  externalIPs:
+{% for ip in internal_ips %}
+  - "{{ ip }}"
+{% endfor %}
+  selector:
+    run: int-haproxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ext-haproxy-stats
+  labels:
+    run: ext-haproxy-stats
+spec:
+  ports:
+  - port: 9001
+    protocol: TCP
+    name: stats
+  externalIPs:
+  - "{{ internal_ips[0] }}"
+  selector:
+    run: ext-haproxy