diff --git a/README.md b/README.md
index 0ce9c882..bea592b6 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,41 @@ but it may be origin if you haven't configured it differently):
git push --force upstream name-of-local-branch:live/test-cara
+## OpenShift templates
+First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
+
+```console
+$ oc login https://openshift-dev.cern.ch
+```
+
+Then, switch to the project that you want to update:
+
+```console
+$ oc project test-cara
+```
+
+If you need to create the application in a new project, run:
+
+```console
+$ cd app-config/openshift
+
+$ oc process -f application.yaml | oc create -f -
+$ oc process -f services.yaml | oc create -f -
+$ oc process -f configmap.yaml | oc create -f -
+```
+
+If you need to **replace** existing configuration, then run:
+
+```console
+$ cd app-config/openshift
+
+$ oc process -f application.yaml | oc replace -f -
+$ oc process -f services.yaml | oc replace -f -
+$ oc process -f configmap.yaml | oc replace -f -
+```
+
+### CERN SSO Proxy
+
+You can find documentation on how to setup the CERN SSO Proxy to enable CERN SSO login [here](https://cern.service-now.com/service-portal?id=kb_article_view&sys_kb_id=ffa4398a4f2cb2807db7d3ef0310c7c5).
+The source code of the OpenShift template is available [here](https://gitlab.cern.ch/paas-tools/cern-sso-proxy/-/tree/master/)
diff --git a/app-config/openshift/application.yaml b/app-config/openshift/application.yaml
new file mode 100644
index 00000000..258501d1
--- /dev/null
+++ b/app-config/openshift/application.yaml
@@ -0,0 +1,228 @@
+---
+ kind: "Template"
+ apiVersion: "v1"
+ metadata:
+ name: "cara-application"
+ creationTimestamp: null
+ annotations:
+ description: "CARA application OpenShift template."
+ tags: "cara-application"
+ labels:
+ template: "cara-application"
+ objects:
+ -
+ kind: BuildConfig
+ apiVersion: v1
+ metadata:
+ name: cara-app
+ spec:
+ source:
+ git:
+ ref: master
+ uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+ sourceSecret:
+ name: sshdeploykey
+ output:
+ to:
+ kind: ImageStreamTag
+ name: 'cara-app:latest'
+ strategy:
+ sourceStrategy:
+ env:
+ - name: APP_NAME
+ value: cara-voila
+ from:
+ kind: ImageStreamTag
+ name: 'python:3.6'
+ namespace: openshift
+ type: Source
+ triggers:
+ - generic:
+ secretReference:
+ name: gitlab-cara-webhook-secret
+ type: Generic
+ -
+ kind: BuildConfig
+ apiVersion: v1
+ metadata:
+ name: cara-router
+ spec:
+ source:
+ git:
+ ref: master
+ uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+ contextDir: app-config/nginx
+ sourceSecret:
+ name: sshdeploykey
+ output:
+ to:
+ kind: ImageStreamTag
+ name: 'cara-router:latest'
+ strategy:
+ sourceStrategy:
+ from:
+ kind: ImageStreamTag
+ name: 'nginx:1.12'
+ namespace: openshift
+ type: Source
+ triggers:
+ - generic:
+ secretReference:
+ name: gitlab-cara-webhook-secret
+ type: Generic
+ -
+ kind: BuildConfig
+ apiVersion: v1
+ metadata:
+ name: cara-webservice
+ spec:
+ source:
+ git:
+ ref: master
+ uri: 'ssh://git@gitlab.cern.ch:7999/cara/cara.git'
+ sourceSecret:
+ name: sshdeploykey
+ output:
+ to:
+ kind: ImageStreamTag
+ name: 'cara-webservice:latest'
+ strategy:
+ sourceStrategy:
+ env:
+ - name: APP_NAME
+ value: cara-webservice
+ from:
+ kind: ImageStreamTag
+ name: 'python:3.6'
+ namespace: openshift
+ type: Source
+ triggers:
+ - generic:
+ secretReference:
+ name: gitlab-cara-webhook-secret
+ type: Generic
+ -
+ apiVersion: v1
+ kind: Route
+ metadata:
+ name: cern-sso-proxy
+ spec:
+ host: cara.web.cern.ch
+ port:
+ targetPort: 8081
+ tls:
+ insecureEdgeTerminationPolicy: Redirect
+ termination: edge
+ to:
+ kind: Service
+ name: cern-sso-proxy
+ -
+ apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: cara-app
+ spec:
+ replicas;: 1
+ template:
+ metadata:
+ labels:
+ app: cara-app
+ spec:
+ containers:
+ - name: cara-app
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - cara-app
+ from:
+ kind: ImageStreamTag
+ name: 'cara-app:latest'
+ namespace: cara
+ -
+ apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: cara-router
+ spec:
+ replicas;: 1
+ template:
+ metadata:
+ labels:
+ app: cara-router
+ spec:
+ containers:
+ - name: cara-router
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8443
+ protocol: TCP
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - cara-router
+ from:
+ kind: ImageStreamTag
+ name: 'cara-router:latest'
+ namespace: cara
+ -
+ apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: cara-webservice
+ spec:
+ replicas;: 1
+ template:
+ metadata:
+ labels:
+ app: cara-webservice
+ spec:
+ containers:
+ - name: cara-webservice
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - cara-webservice
+ from:
+ kind: ImageStreamTag
+ name: 'cara-webservice:latest'
+ namespace: cara
+ -
+ apiVersion: v1
+ kind: DeploymentConfig
+ metadata:
+ name: cern-sso-proxy
+ spec:
+ replicas;: 1
+ template:
+ metadata:
+ labels:
+ app: cern-sso-proxy
+ spec:
+ containers:
+ - name: cern-sso-proxy
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - cern-sso-proxy
+ from:
+ kind: ImageStreamTag
+ name: 'cern-sso-proxy:latest'
+ namespace: cara
diff --git a/app-config/openshift/configmap.yaml b/app-config/openshift/configmap.yaml
new file mode 100644
index 00000000..52f0ef83
--- /dev/null
+++ b/app-config/openshift/configmap.yaml
@@ -0,0 +1,66 @@
+---
+ kind: "Template"
+ apiVersion: "v1"
+ metadata:
+ name: "cara-configuration"
+ creationTimestamp: null
+ annotations:
+ description: "CARA Config Maps OpenShift template."
+ tags: "cara-configuration"
+ labels:
+ template: "cara-application"
+ objects:
+ -
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: cern-sso-proxy
+ data:
+ authorize.conf: |-
+ # Make sure clients cannot fake authentication by injecting headers
+ RequestHeader unset X-ADFS-LOGIN
+ RequestHeader unset X-ADFS-EMAIL
+ RequestHeader unset X-ADFS-FIRSTNAME
+ RequestHeader unset X-ADFS-LASTNAME
+ RequestHeader unset X-ADFS-FULLNAME
+
+ #Protected resources
+
+ ShibRequestSetting requireSession 1
+ AuthType shibboleth
+
+ Require valid-user
+ Require shib-attr ADFS_GROUP cern-personnel
+
+ RequestHeader set X-ADFS-LOGIN %{ADFS_LOGIN}e
+ RequestHeader set X-ADFS-EMAIL %{ADFS_EMAIL}e
+ RequestHeader set X-ADFS-FIRSTNAME %{ADFS_FIRSTNAME}e
+ RequestHeader set X-ADFS-LASTNAME %{ADFS_LASTNAME}e
+ RequestHeader set X-ADFS-FULLNAME %{ADFS_FULLNAME}e
+
+ proxy.conf: |-
+ # Enable reverse proxy for websockets
+ # https://github.com/jupyterhub/jupyterhub/issues/367
+ # https://github.com/websockets/ws/issues/893
+
+ ProxyPreserveHost On
+ ProxyPass / http://${SERVICE_HOST}:${SERVICE_PORT}/
+ ProxyPassReverse / http://${SERVICE_HOST}:${SERVICE_PORT}/
+ ProxyRequests off
+
+
+ RequestHeader set X-SCRIPT-NAME /voila-server/
+ ProxyPassReverse http://${SERVICE_HOST}:${SERVICE_PORT}/
+ RewriteEngine on
+ RewriteCond %{HTTP:UPGRADE} =websocket [NC]
+ RewriteRule /voila-server/api/kernels/(.*) ws://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
+ RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
+ RewriteRule /voila-server/api/kernels/(.*) http://${SERVICE_HOST}:${SERVICE_PORT}/voila-server/api/kernels/$1 [P,L]
+
+ -
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: cern-sso-shib
+ data:
+ shibboleth2.xml: ''
diff --git a/app-config/openshift/services.yaml b/app-config/openshift/services.yaml
new file mode 100644
index 00000000..081dd967
--- /dev/null
+++ b/app-config/openshift/services.yaml
@@ -0,0 +1,48 @@
+---
+ kind: "Template"
+ apiVersion: "v1"
+ metadata:
+ name: "cara-services"
+ creationTimestamp: null
+ annotations:
+ description: "CARA services OpenShift template."
+ tags: "cara-services"
+ labels:
+ template: "cara-services"
+ objects:
+ -
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app: cara-router
+ name: cara-router
+ spec:
+ ports:
+ - name: 8080-tcp
+ port: 8080
+ protocol: TCP
+ targetPort: 8080
+ - name: 8443-tcp
+ port: 8443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app: cara-router
+ -
+ apiVersion: v1
+ kind: Service
+ metadata:
+ labels:
+ app: cara-webservice
+ name: cara-webservice
+ spec:
+ ports:
+ - name: 8080-tcp
+ port: 8080
+ protocol: TCP
+ targetPort: 8080
+ selector:
+ app: cara-webservice
+
+