diff --git a/create-database.yml b/create-database.yml
index 38264cd..e777896 100644
--- a/create-database.yml
+++ b/create-database.yml
@@ -51,7 +51,7 @@
         - "{{ item }}"
       changed_when: False
       with_items: "{{ cluster_services }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea']
+      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'workflow_index', 'workflow_proxy']
 
     - name: Add maria servers to hosts if necessary
       add_host:
@@ -94,6 +94,12 @@
     - role: webdav-postgres
       when: "'webdav' in group_names"
 
+    - role: workflow-index-postgres
+      when: "'workflow_index' in group_names"
+
+    - role: workflow-proxy-postgres
+      when: "'workflow_proxy' in group_names"
+
     - role: connect-wordpress-maria
       when: "'connect_wordpress' in group_names"
 
diff --git a/create-realm.yml b/create-realm.yml
index 24e2512..ec15f67 100644
--- a/create-realm.yml
+++ b/create-realm.yml
@@ -72,6 +72,9 @@
     - role: gitea-realm
       when: '"gitea" in cluster_services'
 
+    - role: workflow-proxy-realm
+      when: '"workflow-proxy" in cluster_services'
+
 #############################################################
 # Sending smardigo management message to process
 #############################################################
@@ -97,3 +100,7 @@
       retries: 5
       delay: 5
       delegate_to: 127.0.0.1
+      when:
+        - scope_id is defined
+        - process_instance_id is defined
+        - smardigo_management_action is defined
diff --git a/create-server.yml b/create-server.yml
index 97125c7..7fbe90c 100644
--- a/create-server.yml
+++ b/create-server.yml
@@ -153,3 +153,7 @@
       retries: 5
       delay: 5
       delegate_to: 127.0.0.1
+      when:
+        - scope_id is defined
+        - process_instance_id is defined
+        - smardigo_management_action is defined
diff --git a/create-service.yml b/create-service.yml
index 9b67774..0c13752 100644
--- a/create-service.yml
+++ b/create-service.yml
@@ -109,3 +109,7 @@
       retries: 5
       delay: 5
       delegate_to: 127.0.0.1
+      when:
+        - scope_id is defined
+        - process_instance_id is defined
+        - smardigo_management_action is defined
diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml
index 82db115..20b534b 100644
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@@ -70,7 +70,7 @@ smardigo_plattform_users:
 ip_whitelist:
   - "212.121.131.106" # tolina
   - "149.233.6.129" # sShelter
-  - "87.141.83.195" # sven
+  - "87.150.38.134" # sven
   - "212.86.56.112" # peter
   - "{{ shared_service_network }}"
 
diff --git a/kubernetes.yml b/kubernetes.yml
index 0a5143e..242b6b0 100644
--- a/kubernetes.yml
+++ b/kubernetes.yml
@@ -28,5 +28,4 @@
     - { role: kubernetes/container-storage-interface }
     - { role: kubernetes/cert-manager }
     - { role: kubernetes/ingress-controller }
-    - { role: kubernetes/apps, tags: prometheus }
-    - { role: kubernetes/apps, tags: argo-cd }
+    - { role: kubernetes/apps }
diff --git a/roles/connect-realm/defaults/main.yml b/roles/connect-realm/defaults/main.yml
index 878c1b1..d155526 100644
--- a/roles/connect-realm/defaults/main.yml
+++ b/roles/connect-realm/defaults/main.yml
@@ -18,7 +18,7 @@ current_realm_clients: [
         "{{ http_s }}://{{ connect_base_url }}/*",
         "{{ http_s }}://{{ wordpress_base_url }}/*",
       ]',
-    secret: '{{ cluster_name }}',
+    secret: '{{ connect_client_id }}',
     web_origins: '
       [
         "{{ http_s }}://{{ connect_base_url }}",
diff --git a/roles/kubernetes/apps/defaults/main.yml b/roles/kubernetes/apps/defaults/main.yml
index 1464ca4..5ecfd1d 100644
--- a/roles/kubernetes/apps/defaults/main.yml
+++ b/roles/kubernetes/apps/defaults/main.yml
@@ -120,7 +120,7 @@ k8s_argocd_helm__release_values:
         cert-manager.io/issue-temporary-certificate: "true"
         kubernetes.io/ingress.class: nginx
         nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}"
-        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
         nginx.ingress.kubernetes.io/ssl-passthrough: "true"
         nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
       hosts:
diff --git a/roles/kubernetes/ingress-controller/defaults/main.yml b/roles/kubernetes/ingress-controller/defaults/main.yml
index 8e36e27..59c8642 100644
--- a/roles/kubernetes/ingress-controller/defaults/main.yml
+++ b/roles/kubernetes/ingress-controller/defaults/main.yml
@@ -7,11 +7,13 @@ k8s_ingress_helm__release_values:
   controller:
     replicaCount: 3
     config:
-      use-forwarded-headers: "true"
       compute-full-forwarded-for: "true"
-      use-proxy-protocol: "true"
       ssl-ciphers: "EECDH+AESGCM:EDH+AESGCM"
       ssl-protocols: "TLSv1.3"
+      ssl-redirect: false
+      use-forwarded-headers: "true"
+      use-proxy-protocol: "true"
+      whitelist-source-range: "{{ ip_whitelist | join(',') }}"
     service:
       externalTrafficPolicy: Local
       healthCheckNodePort: &healthchecknodeport 31066
diff --git a/roles/workflow-index-postgres/defaults/main.yml b/roles/workflow-index-postgres/defaults/main.yml
new file mode 100644
index 0000000..56c7701
--- /dev/null
+++ b/roles/workflow-index-postgres/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+
+workflow_index_postgres_database: "{{ stage }}_{{ tenant_id }}_workflow_index"
+workflow_index_postgres_password: "workflow-index-postgres-admin"
+
+postgres_acls:
+  - name: "{{ workflow_index_postgres_database }}"
+    password: "{{ workflow_index_postgres_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
diff --git a/roles/workflow-index-postgres/tasks/main.yml b/roles/workflow-index-postgres/tasks/main.yml
new file mode 100644
index 0000000..f80676b
--- /dev/null
+++ b/roles/workflow-index-postgres/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+
+### tags:
+###     - remove-data
+
+- name: "Setup <workflow_index> postgres database on {{ inventory_hostname }}"
+  include_role:
+    name: postgres
+    tasks_from: _postgres-acls
diff --git a/roles/workflow-proxy-postgres/defaults/main.yml b/roles/workflow-proxy-postgres/defaults/main.yml
new file mode 100644
index 0000000..3e1583e
--- /dev/null
+++ b/roles/workflow-proxy-postgres/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+
+workflow_proxy_postgres_database: "{{ stage }}_{{ tenant_id }}_workflow_proxy"
+workflow_proxy_postgres_password: "workflow-proxy-postgres-admin"
+
+postgres_acls:
+  - name: "{{ workflow_proxy_postgres_database }}"
+    password: "{{ workflow_proxy_postgres_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
diff --git a/roles/workflow-proxy-postgres/tasks/main.yml b/roles/workflow-proxy-postgres/tasks/main.yml
new file mode 100644
index 0000000..f80676b
--- /dev/null
+++ b/roles/workflow-proxy-postgres/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+
+### tags:
+###     - remove-data
+
+- name: "Setup <workflow_index> postgres database on {{ inventory_hostname }}"
+  include_role:
+    name: postgres
+    tasks_from: _postgres-acls
diff --git a/roles/workflow-proxy-realm/defaults/main.yml b/roles/workflow-proxy-realm/defaults/main.yml
new file mode 100644
index 0000000..a1c7ed8
--- /dev/null
+++ b/roles/workflow-proxy-realm/defaults/main.yml
@@ -0,0 +1,38 @@
+---
+
+workflow_proxy_client_id: "{{ cluster_name }}"
+
+workflow_proxy_base_url: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}.{{ domain }}"
+
+current_realm_clients: [
+  {
+    name: '{{ workflow_proxy_client_id }}',
+    clientId: "{{ workflow_proxy_client_id }}",
+    admin_url: '',
+    root_url: '',
+    redirect_uris: '
+      [
+        "http://{{ workflow_proxy_base_url }}/*",
+        "https://{{ workflow_proxy_base_url }}/*",
+      ]',
+    secret: '{{ workflow_proxy_client_id }}',
+    web_origins: '
+      [
+        "http://{{ workflow_proxy_base_url }}/*",
+        "https://{{ workflow_proxy_base_url }}/*",
+      ]',
+  }
+]
+
+current_realm_users: [
+  {
+    "username": "{{ connect_client_admin_username }}",
+    "password": "{{ connect_client_admin_password }}",
+  }
+]
+current_realm_admin_users: [
+  {
+    "username": "{{ connect_realm_admin_username }}",
+    "password": "{{ connect_realm_admin_password }}",
+  }
+]
diff --git a/roles/workflow-proxy-realm/handlers/main.yml b/roles/workflow-proxy-realm/handlers/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/roles/workflow-proxy-realm/handlers/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/workflow-proxy-realm/meta/main.yml b/roles/workflow-proxy-realm/meta/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/roles/workflow-proxy-realm/meta/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/workflow-proxy-realm/tasks/main.yml b/roles/workflow-proxy-realm/tasks/main.yml
new file mode 100644
index 0000000..795609f
--- /dev/null
+++ b/roles/workflow-proxy-realm/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+
+### tags:
+
+- name: "Setup realm for {{ inventory_hostname }}"
+  include_role:
+    name: keycloak
+    tasks_from: _authenticate
+
+- name: "Setup realm for {{ inventory_hostname }}"
+  include_role:
+    name: keycloak
+    tasks_from: _configure_realm
+
+- name: "Create realm users"
+  include_role:
+    name: keycloak
+    tasks_from: _create_realm_users
+
+- name: "Create realm admin"
+  include_role:
+    name: keycloak
+    tasks_from: _create_realm_admin
diff --git a/roles/workflow-proxy-realm/vars/main.yml b/roles/workflow-proxy-realm/vars/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/roles/workflow-proxy-realm/vars/main.yml
@@ -0,0 +1 @@
+---