diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 89599cd300..f74286e0fa 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -210,11 +210,18 @@ ocp_nodes:
   - worker04.ocp.iad2.fedoraproject.org
   - worker05.ocp.iad2.fedoraproject.org
   - worker06.ocp.iad2.fedoraproject.org
+ocp_nodes_rdu3:
+  - worker01.ocp.rdu3.fedoraproject.org
 ocp_wildcard_cert_file: wildcard-2024.apps.ocp.fedoraproject.org.cert
 # This is the openshift wildcard cert for ocp
 ocp_wildcard_cert_name: wildcard-2024.apps.ocp.fedoraproject.org
 ocp_wildcard_int_file: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert
 ocp_wildcard_key_file: wildcard-2024.apps.ocp.fedoraproject.org.key
+# rdu3 ocp cert while we are not yet moved
+ocp_rdu3_wildcard_cert_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.cert
+ocp_rdu3_wildcard_cert_name: wildcard-2025.apps.ocp-rdu3.fedoraproject.org
+ocp_rdu3_wildcard_int_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.intermediate.cert
+ocp_rdu3_wildcard_key_file: wildcard-2025.apps.ocp-rdu3.fedoraproject.org.key
 # Path to the openshift-ansible checkout as external git repo brought into
 # Fedora Infra
 openshift_ansible: /srv/web/infra/openshift-ansible/
diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 1d83e2c398..2a186acf4e 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -95,6 +95,9 @@ ocp_nodes:
   - worker04.vpn.fedoraproject.org
   - worker05.vpn.fedoraproject.org
   - worker06.vpn.fedoraproject.org
+# once vpn is up on rdu3 openshift we can switch this to use vpn
+#ocp_nodes_rdu3:
+#  - worker01-rdu3.vpn.fedoraproject.org
 postvpnservices:
   - haproxy
   - varnish
diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index ba90ac77e3..9675dbcff8 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -734,6 +734,30 @@
     - apps.ocp.fedoraproject.org
     when: env == "production"
 
+  - role: httpd/reverseproxy
+    website: "ocp-rdu3{{ env_suffix }}.fedoraproject.org"
+    destname: ocp-rdu3
+    balancer_name: ocp-rdu3
+    balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_rdu3_stg, ocp_nodes_rdu3) }}"
+    targettype: openshift
+    ocp4-rdu3: true
+    keephost: true
+    tags:
+    - ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == 'rdu3'
+
+  - role: httpd/reverseproxy
+    website: "apps.ocp-rdu3{{ env_suffix }}.fedoraproject.org"
+    destname: apps.ocp-rdu3
+    balancer_name: apps-ocp-rdu3
+    balancer_members: "{{ (env == 'staging')|ternary(ocp_nodes_rdu3_stg, ocp_nodes_rdu3) }}"
+    targettype: openshift
+    ocp4-rdu3: true
+    keephost: true
+    tags:
+    - apps.ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == 'rdu3'
+
   - role: httpd/reverseproxy
     website: "provision{{ env_suffix }}.fedoraproject.org"
     destname: zezere
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 7a066e30cc..4fe4995eef 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -718,6 +718,30 @@
     - apps.ocp.fedoraproject.org
     when: env == "production"
 
+  - role: httpd/website
+    site_name: ocp-rdu3.fedoraproject.org
+    sslonly: true
+    cert_name: "{{wildcard_cert_name}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == "rdu3"
+
+  - role: httpd/website
+    site_name: apps.ocp-rdu3.fedoraproject.org
+    server_aliases: ["*.apps.ocp-rdu3.fedoraproject.org", api.apps.ocp-rdu3.fedoraproject.org]
+    sslonly: true
+    cert_name: "{{ocp_rdu3_wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{ocp_rdu3_wildcard_int_file}}"
+    # The Connection and Upgrade headers don't work for h2
+    # So non-h2 is needed to fix websockets.
+    use_h2: false
+    tags:
+    - apps.ocp-rdu3.fedoraproject.org
+    when: env == "production" and datacenter == "rdu3"
+
   - role: httpd/website
     site_name: registry.fedoraproject.org
     server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org]
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
index cd9bbc5b3f..7b75b3b1bd 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@@ -29,6 +29,8 @@ SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem"
 {% elif env == "staging" %}
 SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem"
 {% endif %}
+{% elif ocp4-rdu3 %}
+SSLProxyCACertificateFile "/etc/haproxy/ocp.prod-rdu3.pem"
 {% endif %}
 
 <Proxy "balancer://{{balancer_name}}-websocket">