chore: Set openstack version Zed (#310)

* chore: Set openstack version Zed

* Update chart versions

* Fixes after e2e test

- Add python-binary-memcached as default pip package (required for oslo_cache.memcache_pool backend)
- install nova first then neutron because network creation requires az creation first by nova helmrelease
- update registry url for some images

* Update charts

Apply horizon patch for mysqlclient version upgrade

* Add neutron patchset to add placement auth config

* Add neutron patch and set nova-ssh tag as latest

* Update horizon chart

---------

Co-authored-by: okozachenko1203 <okozachenko1203@users.noreply.github.com>
diff --git a/charts/barbican/Chart.yaml b/charts/barbican/Chart.yaml
index 75af00f..8828804 100644
--- a/charts/barbican/Chart.yaml
+++ b/charts/barbican/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/barbican
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.12
+version: 0.3.0
diff --git a/charts/barbican/charts/helm-toolkit/Chart.yaml b/charts/barbican/charts/helm-toolkit/Chart.yaml
index 26244bd..c1296b9 100644
--- a/charts/barbican/charts/helm-toolkit/Chart.yaml
+++ b/charts/barbican/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.42
+version: 0.2.51
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..9597d34 100644
--- a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,52 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +434,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +496,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +507,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +557,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +578,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/barbican/requirements.lock b/charts/barbican/requirements.lock
index ba8d219..473e717 100644
--- a/charts/barbican/requirements.lock
+++ b/charts/barbican/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.42
-digest: sha256:6525a5fedf1bf00b4d1b4d1cd20b0fba9808bf3b7e41cfd76abdfe7267bd4998
-generated: "2022-05-16T22:35:19.376340743Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:09:57.120939961Z"
diff --git a/charts/barbican/templates/configmap-etc.yaml b/charts/barbican/templates/configmap-etc.yaml
index c8e08cb..d9323e0 100644
--- a/charts/barbican/templates/configmap-etc.yaml
+++ b/charts/barbican/templates/configmap-etc.yaml
@@ -68,11 +68,11 @@
 {{- end -}}
 
 {{- if empty .Values.conf.barbican.barbican_api.bind_port -}}
-{{- $_ := tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
+{{- $_ := tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
 {{- end -}}
 
 {{- if empty .Values.conf.barbican_api.uwsgi.socket -}}
-{{- $_ := printf ":%s" ( tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
+{{- $_ := printf ":%s" ( tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
 {{- end -}}
 
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
index 9033971..4e281d9 100644
--- a/charts/barbican/templates/deployment-api.yaml
+++ b/charts/barbican/templates/deployment-api.yaml
@@ -64,6 +64,11 @@
           command:
             - /tmp/barbican.sh
             - start
+          env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/barbican/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -72,10 +77,12 @@
                   - stop
           ports:
             - name: b-api
-              containerPort: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
-              port: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: {{ tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
@@ -112,6 +119,9 @@
               subPath: barbican.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -127,5 +137,8 @@
             name: barbican-bin
             defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/barbican/templates/job-bootstrap.yaml b/charts/barbican/templates/job-bootstrap.yaml
index ced8bc3..da4392d 100644
--- a/charts/barbican/templates/job-bootstrap.yaml
+++ b/charts/barbican/templates/job-bootstrap.yaml
@@ -24,5 +24,8 @@
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
 {{- end }}
diff --git a/charts/barbican/templates/job-ks-endpoints.yaml b/charts/barbican/templates/job-ks-endpoints.yaml
index 023f58e..cd5d9bc 100644
--- a/charts/barbican/templates/job-ks-endpoints.yaml
+++ b/charts/barbican/templates/job-ks-endpoints.yaml
@@ -24,5 +24,8 @@
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
diff --git a/charts/barbican/templates/job-ks-service.yaml b/charts/barbican/templates/job-ks-service.yaml
index c0e0683..08a93d0 100644
--- a/charts/barbican/templates/job-ks-service.yaml
+++ b/charts/barbican/templates/job-ks-service.yaml
@@ -24,5 +24,8 @@
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
 {{- end }}
diff --git a/charts/barbican/templates/job-ks-user.yaml b/charts/barbican/templates/job-ks-user.yaml
index e16e033..c74bf31 100644
--- a/charts/barbican/templates/job-ks-user.yaml
+++ b/charts/barbican/templates/job-ks-user.yaml
@@ -24,5 +24,8 @@
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/charts/barbican/templates/pdb-api.yaml b/charts/barbican/templates/pdb-api.yaml
index e155d76..77e7752 100644
--- a/charts/barbican/templates/pdb-api.yaml
+++ b/charts/barbican/templates/pdb-api.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_api }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: barbican-api
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/barbican/templates/secret-registry.yaml
similarity index 71%
rename from charts/nova/templates/bin/_nova-consoleauth.sh.tpl
rename to charts/barbican/templates/secret-registry.yaml
index 97c4195..da979b3 100644
--- a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
+++ b/charts/barbican/templates/secret-registry.yaml
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +12,6 @@
 limitations under the License.
 */}}
 
-set -x
-exec nova-consoleauth \
-      --config-file /etc/nova/nova.conf
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/barbican/templates/service-api.yaml b/charts/barbican/templates/service-api.yaml
index 0f63ee3..b995fdc 100644
--- a/charts/barbican/templates/service-api.yaml
+++ b/charts/barbican/templates/service-api.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
   - name: b-api
-    port: {{ tuple "key-manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    port: {{ tuple "key-manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.api.node_port.enabled }}
     nodePort: {{ .Values.network.api.node_port.port }}
     {{ end }}
diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
index 5bd154e..5c598ed 100644
--- a/charts/barbican/values.yaml
+++ b/charts/barbican/values.yaml
@@ -35,16 +35,16 @@
 
 images:
   tags:
-    bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
-    scripted_test: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    barbican_db_sync: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
-    db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    barbican_api: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
+    scripted_test: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    barbican_db_sync: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    barbican_api: docker.io/openstackhelm/barbican:wallaby-ubuntu_focal
     rabbit_init: docker.io/rabbitmq:3.7-management
     image_repo_sync: docker.io/docker:17.07.0
   pull_policy: "IfNotPresent"
@@ -496,6 +496,9 @@
     key_manager:
       api:
         public: barbican-tls-public
+        internal: barbican-tls-internal
+  oci_image_registry:
+    barbican: barbican-oci-image-registry
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -511,6 +514,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      barbican:
+        username: barbican
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -553,10 +571,12 @@
       default: /
     scheme:
       default: http
+      service: http
     port:
       api:
         default: 9311
         public: 80
+        service: 9311
   oslo_db:
     auth:
       admin:
@@ -582,6 +602,9 @@
       admin:
         username: rabbitmq
         password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
       barbican:
         username: barbican
         password: password
@@ -654,6 +677,11 @@
       ingress:
         default: 80
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
@@ -676,6 +704,7 @@
   secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
+  secret_registry: true
   service_ingress_api: true
   service_api: true
 ...
diff --git a/charts/cinder/Chart.yaml b/charts/cinder/Chart.yaml
index 06d521e..88894e0 100644
--- a/charts/cinder/Chart.yaml
+++ b/charts/cinder/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/cinder
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.2
+version: 0.3.3
diff --git a/charts/cinder/charts/helm-toolkit/Chart.yaml b/charts/cinder/charts/helm-toolkit/Chart.yaml
index 12e2dd2..c1296b9 100644
--- a/charts/cinder/charts/helm-toolkit/Chart.yaml
+++ b/charts/cinder/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.50
+version: 0.2.51
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 687851e..9597d34 100644
--- a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -213,6 +213,11 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
@@ -226,6 +231,11 @@
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Calculation remote file SHA256 hash
   REMOTE_FILE=$(mktemp -p /tmp)
   openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
diff --git a/charts/cinder/requirements.lock b/charts/cinder/requirements.lock
index 247eb57..e75149c 100644
--- a/charts/cinder/requirements.lock
+++ b/charts/cinder/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.50
-digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
-generated: "2023-01-18T19:17:50.242264032Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:09:56.648802173Z"
diff --git a/charts/cinder/templates/configmap-etc.yaml b/charts/cinder/templates/configmap-etc.yaml
index fe73a88..e5a7ce7 100644
--- a/charts/cinder/templates/configmap-etc.yaml
+++ b/charts/cinder/templates/configmap-etc.yaml
@@ -94,7 +94,7 @@
 {{- end -}}
 
 {{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}}
-{{- $_ := tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
+{{- $_ := tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
 {{- end -}}
 
 {{- if .Values.conf.cinder.service_user.send_service_user_token -}}
diff --git a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
index 1d935f1..897b5b6 100644
--- a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
+++ b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -90,7 +90,7 @@
                   mountPath: /tmp/volume-usage-audit.sh
                   subPath: volume-usage-audit.sh
                   readOnly: true
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
@@ -107,7 +107,7 @@
               configMap:
                 name: cinder-bin
                 defaultMode: 0555
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
diff --git a/charts/cinder/templates/deployment-api.yaml b/charts/cinder/templates/deployment-api.yaml
index b3e6be1..8ef5754 100644
--- a/charts/cinder/templates/deployment-api.yaml
+++ b/charts/cinder/templates/deployment-api.yaml
@@ -93,17 +93,17 @@
                   - stop
           ports:
             - name: c-api
-              containerPort: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
             httpGet:
-              scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              scheme: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
               path: /
-              port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
             httpGet:
-              scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              scheme: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
               path: /
-              port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 30
             failureThreshold: 3
             periodSeconds: 10
@@ -165,7 +165,7 @@
               readOnly: true
             {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -188,7 +188,7 @@
           emptyDir: {}
         {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/cinder/templates/deployment-scheduler.yaml b/charts/cinder/templates/deployment-scheduler.yaml
index 59c3597..cf69dd1 100644
--- a/charts/cinder/templates/deployment-scheduler.yaml
+++ b/charts/cinder/templates/deployment-scheduler.yaml
@@ -107,7 +107,7 @@
             - name: cinder-coordination
               mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
             {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
@@ -128,7 +128,7 @@
         - name: cinder-coordination
           emptyDir: {}
         {{- end }}
- {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
diff --git a/charts/cinder/templates/deployment-volume.yaml b/charts/cinder/templates/deployment-volume.yaml
index 0fccd46..9207c25 100644
--- a/charts/cinder/templates/deployment-volume.yaml
+++ b/charts/cinder/templates/deployment-volume.yaml
@@ -131,7 +131,7 @@
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
           env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -281,7 +281,7 @@
               mountPropagation: HostToContainer
               {{- end }}
             {{- end }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
@@ -351,7 +351,7 @@
             path: /sys
         {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/cinder/templates/ingress-api.yaml b/charts/cinder/templates/ingress-api.yaml
index f5ab1ff..4586d3a 100644
--- a/charts/cinder/templates/ingress-api.yaml
+++ b/charts/cinder/templates/ingress-api.yaml
@@ -14,10 +14,10 @@
 
 {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
 {{- $envAll := . -}}
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volumev3" "backendPort" "c-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.volumev3.api.internal -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
 {{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volumev3.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
 {{- end -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
diff --git a/charts/cinder/templates/job-bootstrap.yaml b/charts/cinder/templates/job-bootstrap.yaml
index a7b590e..271b948 100644
--- a/charts/cinder/templates/job-bootstrap.yaml
+++ b/charts/cinder/templates/job-bootstrap.yaml
@@ -20,7 +20,7 @@
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.cinder.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
diff --git a/charts/cinder/templates/job-create-internal-tenant.yaml b/charts/cinder/templates/job-create-internal-tenant.yaml
index 78de218..1a0a475 100644
--- a/charts/cinder/templates/job-create-internal-tenant.yaml
+++ b/charts/cinder/templates/job-create-internal-tenant.yaml
@@ -68,7 +68,7 @@
               mountPath: /tmp/create-internal-tenant.sh
               subPath: create-internal-tenant.sh
               readOnly: true
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
           env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -97,5 +97,5 @@
           configMap:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end -}}
diff --git a/charts/cinder/templates/job-ks-endpoints.yaml b/charts/cinder/templates/job-ks-endpoints.yaml
index 99d5360..cee225b 100644
--- a/charts/cinder/templates/job-ks-endpoints.yaml
+++ b/charts/cinder/templates/job-ks-endpoints.yaml
@@ -17,10 +17,17 @@
 helm.sh/hook-weight: "-2"
 {{- end }}
 
+{{- $volTypes := list "volumev3" -}}
+{{- if .Values.conf.cinder.DEFAULT.enable_v1_api }}
+{{- $volTypes = append $volTypes "volume" }}
+{{- end }}
+{{- if .Values.conf.cinder.DEFAULT.enable_v2_api }}
+{{- $volTypes = append $volTypes "volumev2" }}
+{{- end }}
 {{- if .Values.manifests.job_ks_endpoints }}
-{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/charts/cinder/templates/job-ks-service.yaml b/charts/cinder/templates/job-ks-service.yaml
index 159f66a..ff83df3 100644
--- a/charts/cinder/templates/job-ks-service.yaml
+++ b/charts/cinder/templates/job-ks-service.yaml
@@ -24,9 +24,16 @@
 {{- $serviceTypes = append $serviceTypes $v }}
 {{- end }}
 {{- end }}
-{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
+{{- $volTypes := list "volumev3" -}}
+{{- if .Values.conf.cinder.DEFAULT.enable_v1_api }}
+{{- $volTypes = append $volTypes "volume" }}
+{{- end }}
+{{- if .Values.conf.cinder.DEFAULT.enable_v2_api }}
+{{- $volTypes = append $volTypes "volumev2" }}
+{{- end }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/charts/cinder/templates/job-ks-user.yaml b/charts/cinder/templates/job-ks-user.yaml
index 78f48cf..a53a88d 100644
--- a/charts/cinder/templates/job-ks-user.yaml
+++ b/charts/cinder/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
diff --git a/charts/cinder/templates/pod-rally-test.yaml b/charts/cinder/templates/pod-rally-test.yaml
index 34316c6..3ed52cd 100644
--- a/charts/cinder/templates/pod-rally-test.yaml
+++ b/charts/cinder/templates/pod-rally-test.yaml
@@ -53,7 +53,7 @@
           mountPath: /tmp/ks-user.sh
           subPath: ks-user.sh
           readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
       env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -93,7 +93,7 @@
           readOnly: true
         - name: rally-db
           mountPath: /var/lib/rally
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 8 }}
 {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
   volumes:
     - name: pod-tmp
@@ -108,6 +108,6 @@
         defaultMode: 0555
     - name: rally-db
       emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
 {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
 {{- end }}
diff --git a/charts/cinder/templates/secret-ingress-tls.yaml b/charts/cinder/templates/secret-ingress-tls.yaml
index f298d67..6a185b2 100644
--- a/charts/cinder/templates/secret-ingress-tls.yaml
+++ b/charts/cinder/templates/secret-ingress-tls.yaml
@@ -13,5 +13,5 @@
 */}}
 
 {{- if .Values.manifests.secret_ingress_tls }}
-{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volumev3" ) }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }}
 {{- end }}
diff --git a/charts/cinder/templates/service-api.yaml b/charts/cinder/templates/service-api.yaml
index d053063..c906aa0 100644
--- a/charts/cinder/templates/service-api.yaml
+++ b/charts/cinder/templates/service-api.yaml
@@ -18,11 +18,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ tuple "volumev3" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+  name: {{ tuple "volume" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
   ports:
     - name: c-api
-      port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.api.node_port.enabled }}
       nodePort: {{ .Values.network.api.node_port.port }}
     {{ end }}
diff --git a/charts/cinder/templates/service-ingress-api.yaml b/charts/cinder/templates/service-ingress-api.yaml
index ff0d27e..951afb5 100644
--- a/charts/cinder/templates/service-ingress-api.yaml
+++ b/charts/cinder/templates/service-ingress-api.yaml
@@ -13,6 +13,6 @@
 */}}
 
 {{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
-{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volumev3" -}}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volume" -}}
 {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
 {{- end }}
diff --git a/charts/cinder/values.yaml b/charts/cinder/values.yaml
index 7633d97..15c1178 100644
--- a/charts/cinder/values.yaml
+++ b/charts/cinder/values.yaml
@@ -434,7 +434,19 @@
     composite:osapi_volume:
       use: call:cinder.api:root_app_factory
       /: apiversions
+      /v1: openstack_volume_api_v1
+      /v2: openstack_volume_api_v2
       /v3: openstack_volume_api_v3
+    composite:openstack_volume_api_v1:
+      use: call:cinder.api.middleware.auth:pipeline_factory
+      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1
+    composite:openstack_volume_api_v2:
+      use: call:cinder.api.middleware.auth:pipeline_factory
+      noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
+      keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
+      keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2
     composite:openstack_volume_api_v3:
       use: call:cinder.api.middleware.auth:pipeline_factory
       noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
@@ -455,6 +467,10 @@
       paste.filter_factory: cinder.api.middleware.auth:NoAuthMiddleware.factory
     filter:sizelimit:
       paste.filter_factory: oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+    app:apiv1:
+      paste.app_factory: cinder.api.v1.router:APIRouter.factory
+    app:apiv2:
+      paste.app_factory: cinder.api.v2.router:APIRouter.factory
     app:apiv3:
       paste.app_factory: cinder.api.v3.router:APIRouter.factory
     pipeline:apiversions:
@@ -487,6 +503,8 @@
       types: type
       volumes: volume
     service_endpoints:
+      volume: service/storage/block
+      volumev2: service/storage/block
       volumev3: service/storage/block
   cinder_sudoers: |
     # This sudoers file supports rootwrap for both Kolla and LOCI Images.
@@ -774,6 +792,7 @@
       use_syslog: false
       use_stderr: true
       enable_v1_api: false
+      enable_v2_api: false
       volume_name_template: "%s"
       osapi_volume_workers: 1
       glance_api_version: 2
@@ -911,7 +930,7 @@
       rados_connect_timeout: -1
       rbd_user: cinder
       rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
-      image_volume_cache_enabled: True
+      image_volume_cache_enabled: true
       image_volume_cache_max_size_gb: 200
       image_volume_cache_max_count: 50
   rally_tests:
@@ -1029,7 +1048,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
     backup_storage_init:
       jobs: null
     bootstrap:
@@ -1037,7 +1056,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
       pod:
         - requireSameNode: false
           labels:
@@ -1088,7 +1107,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
     storage_init:
       jobs: null
     tests:
@@ -1096,7 +1115,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
     volume:
       jobs:
         - cinder-db-sync
@@ -1108,7 +1127,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
     volume_usage_audit:
       jobs:
         - cinder-db-sync
@@ -1120,7 +1139,7 @@
         - endpoint: internal
           service: identity
         - endpoint: internal
-          service: volumev3
+          service: volume
     image_repo_sync:
       services:
         - endpoint: internal
@@ -1147,7 +1166,7 @@
     admin: cinder-rabbitmq-admin
     cinder: cinder-rabbitmq-user
   tls:
-    volumev3:
+    volume:
       api:
         public: cinder-tls-public
         internal: cinder-tls-api
@@ -1240,7 +1259,7 @@
       api:
         default: 9292
         public: 80
-  volumev3:
+  volume:
     name: cinder
     hosts:
       default: cinder-api
@@ -1255,6 +1274,50 @@
       #     crt: null
       #     key: null
     path:
+      default: '/v1/%(tenant_id)s'
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8776
+        public: 80
+  volumev2:
+    name: cinderv2
+    hosts:
+      default: cinder-api
+      public: cinder
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
+      default: '/v2/%(tenant_id)s'
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8776
+        public: 80
+  volumev3:
+    name: cinderv3
+    hosts:
+      default: cinder-api
+      public: cinder
+    host_fqdn_override:
+      default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+    path:
       default: '/v3/%(tenant_id)s'
     scheme:
       default: 'http'
diff --git a/charts/horizon/Chart.yaml b/charts/horizon/Chart.yaml
index dc5ce03..8cf246f 100644
--- a/charts/horizon/Chart.yaml
+++ b/charts/horizon/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/horizon
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.1
+version: 0.3.2
diff --git a/charts/horizon/requirements.lock b/charts/horizon/requirements.lock
index aeff31a..1a789f6 100644
--- a/charts/horizon/requirements.lock
+++ b/charts/horizon/requirements.lock
@@ -3,4 +3,4 @@
   repository: file://../../openstack-helm-infra/helm-toolkit
   version: 0.2.51
 digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
-generated: "2023-01-30T23:09:58.052136121Z"
+generated: "2023-02-01T21:05:34.36613414Z"
diff --git a/charts/horizon/templates/bin/_django.wsgi.tpl b/charts/horizon/templates/bin/_django.wsgi.tpl
index 578ab50..4626f21 100644
--- a/charts/horizon/templates/bin/_django.wsgi.tpl
+++ b/charts/horizon/templates/bin/_django.wsgi.tpl
@@ -23,7 +23,7 @@
 
 import pymysql
 
-pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.version_info = (1, 4, 0, "final", 0)
 pymysql.install_as_MySQLdb()
 
 from django.core.wsgi import get_wsgi_application
diff --git a/charts/horizon/templates/bin/_manage.py.tpl b/charts/horizon/templates/bin/_manage.py.tpl
index a49cffe..105a32c 100644
--- a/charts/horizon/templates/bin/_manage.py.tpl
+++ b/charts/horizon/templates/bin/_manage.py.tpl
@@ -23,7 +23,7 @@
 import sys
 
 import pymysql
-pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.version_info = (1, 4, 0, "final", 0)
 pymysql.install_as_MySQLdb()
 
 from django.core.management import execute_from_command_line
diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml
index 8d5fadc..d013470 100644
--- a/charts/keystone/Chart.yaml
+++ b/charts/keystone/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/keystone
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.19
+version: 0.3.0
diff --git a/charts/keystone/charts/helm-toolkit/Chart.yaml b/charts/keystone/charts/helm-toolkit/Chart.yaml
index ffa1cdc..c1296b9 100644
--- a/charts/keystone/charts/helm-toolkit/Chart.yaml
+++ b/charts/keystone/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.36
+version: 0.2.51
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index db12915..9597d34 100644
--- a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,52 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -253,6 +305,16 @@
   return 1
 }
 
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
 # This function takes a list of archives' names as an input
 # and creates a hash table where keys are number of seconds
 # between current date and archive date (see seconds_difference),
@@ -271,21 +333,6 @@
 # possible case, when we have several backups of the same date. E.g.
 # one manual, and one automatic.
 
-function get_archive_date(){
-# get_archive_date function returns correct archive date
-# for different formats of archives' names
-# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
-# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
-local A_FILE="$1"
-local A_DATE=""
-if [[ -z ${BACK_UP_MODE} ]]; then
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
-else
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
-fi
-echo ${A_DATE}
-}
-
 declare -A fileTable
 create_hash_table() {
 unset fileTable
@@ -329,33 +376,6 @@
 }
 
 remove_old_local_archives() {
-  if [[ -d $ARCHIVE_DIR ]]; then
-    count=0
-    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
-    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
-    # We iterate over the hash table, checking the delta in seconds (hash keys),
-    # and minimum number of backups we must have in place. List of keys has to be sorted.
-    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
-      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
-        ((count++))
-        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
-      else
-        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
-          rm -rf $ARCHIVE_FILE
-          if [[ $? -ne 0 ]]; then
-            # Log error but don't exit so we can finish the script
-            # because at this point we haven't sent backup to RGW yet
-            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
-          fi
-      fi
-    done
-  else
-    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
-  fi
-}
-
-remove_old_local_archives() {
   SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
   if [[ -d $ARCHIVE_DIR ]]; then
@@ -400,8 +420,8 @@
   count=0
   SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
-  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
     if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
       ((count++))
       log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
@@ -414,10 +434,12 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-  if [[ -f fd ]]; then
-    rm -f fd
-  else
-    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
 }
 
 # Main function to backup the databases. Calling functions need to supply:
@@ -474,10 +496,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -489,6 +507,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -517,8 +554,12 @@
     #Only delete the old archive after a successful archive
     if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
       prepare_list_of_remote_backups
-      create_hash_table $(cat $DB_BACKUP_FILES)
-      remove_old_remote_archives
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
     fi
 
     echo "=================================================================="
@@ -537,4 +578,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
index c2de3aa..093dd2c 100644
--- a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -269,7 +269,7 @@
       echo "=============================================="
       for archive in $archives
       do
-        echo $archive | cut -d '/' -f 8
+        echo $archive | cut -d '/' -f8-
       done
       clean_and_exit 0 ""
     else
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/keystone/requirements.lock b/charts/keystone/requirements.lock
index 6d50cc5..d765c01 100644
--- a/charts/keystone/requirements.lock
+++ b/charts/keystone/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.36
-digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
-generated: "2022-03-24T05:04:09.692437746Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:09:50.646508644Z"
diff --git a/charts/keystone/templates/bin/_fernet-manage.py.tpl b/charts/keystone/templates/bin/_fernet-manage.py.tpl
index 804d769..a93cab8 100644
--- a/charts/keystone/templates/bin/_fernet-manage.py.tpl
+++ b/charts/keystone/templates/bin/_fernet-manage.py.tpl
@@ -22,7 +22,6 @@
 import os
 import pwd
 import re
-import six
 import subprocess  #nosec
 import sys
 import time
@@ -89,14 +88,14 @@
     if len(list(keys)):
         LOG.debug("Keys read from files: %s", keys)
     else:
-        LOG.warn("No keys were read from files.")
+        LOG.warning("No keys were read from files.")
     return data
 
 
 def get_keys_data():
     keys = read_from_files()
     return dict([(key, base64.b64encode(value.encode()).decode())
-                for (key, value) in six.iteritems(keys)])
+                for (key, value) in keys.items()])
 
 
 def write_to_files(data):
@@ -110,7 +109,7 @@
         gid = grp.getgrnam(KEYSTONE_GROUP).gr_gid
         os.chown(FERNET_DIR, uid, gid)
 
-    for (key, value) in six.iteritems(data):
+    for (key, value) in data.items():
         with open(FERNET_DIR + key, 'w') as f:
             decoded_value = base64.b64decode(value).decode()
             f.write(decoded_value)
diff --git a/charts/keystone/templates/configmap-etc.yaml b/charts/keystone/templates/configmap-etc.yaml
index 4b7f046..cde6438 100644
--- a/charts/keystone/templates/configmap-etc.yaml
+++ b/charts/keystone/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
@@ -35,7 +41,7 @@
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}
diff --git a/charts/keystone/templates/cron-job-credential-rotate.yaml b/charts/keystone/templates/cron-job-credential-rotate.yaml
index fd26b23..5906079 100644
--- a/charts/keystone/templates/cron-job-credential-rotate.yaml
+++ b/charts/keystone/templates/cron-job-credential-rotate.yaml
@@ -49,7 +49,7 @@
     name: {{ $serviceAccountName }}
     namespace: {{ $envAll.Release.Namespace }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: keystone-credential-rotate
@@ -74,6 +74,9 @@
           initContainers:
 {{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
           containers:
diff --git a/charts/keystone/templates/cron-job-fernet-rotate.yaml b/charts/keystone/templates/cron-job-fernet-rotate.yaml
index 8f4f4f9..a059f92 100644
--- a/charts/keystone/templates/cron-job-fernet-rotate.yaml
+++ b/charts/keystone/templates/cron-job-fernet-rotate.yaml
@@ -50,7 +50,7 @@
     name: {{ $serviceAccountName }}
     namespace: {{ $envAll.Release.Namespace }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: keystone-fernet-rotate
@@ -76,6 +76,9 @@
           initContainers:
 {{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
           containers:
diff --git a/charts/keystone/templates/deployment-api.yaml b/charts/keystone/templates/deployment-api.yaml
index f415493..c9e8d0f 100644
--- a/charts/keystone/templates/deployment-api.yaml
+++ b/charts/keystone/templates/deployment-api.yaml
@@ -14,9 +14,9 @@
 
 {{- define "apiProbeTemplate" }}
 httpGet:
-  scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  scheme: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
   path: /v3/
-  port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+  port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 {{- end }}
 
 {{- if .Values.manifests.deployment_api }}
@@ -58,6 +58,9 @@
 {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
@@ -77,7 +80,7 @@
                   - stop
           ports:
             - name: ks-pub
-              containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 {{ dict "envAll" $envAll "component" "api" "container" "api" "type" "readiness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
 {{ dict "envAll" $envAll "component" "api" "container" "api" "type" "liveness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
           volumeMounts:
diff --git a/charts/keystone/templates/job-bootstrap.yaml b/charts/keystone/templates/job-bootstrap.yaml
index e908927..b1336b1 100644
--- a/charts/keystone/templates/job-bootstrap.yaml
+++ b/charts/keystone/templates/job-bootstrap.yaml
@@ -19,8 +19,11 @@
 
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{- if and ( or .Values.manifests.certificates .Values.tls.identity) .Values.secrets.tls.identity.api.internal -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
 {{- end }}
diff --git a/charts/keystone/templates/job-credential-cleanup.yaml b/charts/keystone/templates/job-credential-cleanup.yaml
index 854c5b6..fcd7f11 100644
--- a/charts/keystone/templates/job-credential-cleanup.yaml
+++ b/charts/keystone/templates/job-credential-cleanup.yaml
@@ -46,6 +46,9 @@
     spec:
       serviceAccountName: {{ $serviceName }}
       restartPolicy: Never
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
       initContainers:
diff --git a/charts/keystone/templates/job-credential-setup.yaml b/charts/keystone/templates/job-credential-setup.yaml
index 1d30eb1..5e6edc6 100644
--- a/charts/keystone/templates/job-credential-setup.yaml
+++ b/charts/keystone/templates/job-credential-setup.yaml
@@ -78,6 +78,9 @@
       initContainers:
 {{ tuple $envAll "credential_setup" $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
       containers:
diff --git a/charts/keystone/templates/job-db-drop.yaml b/charts/keystone/templates/job-db-drop.yaml
index 512b8eb..df270ff 100644
--- a/charts/keystone/templates/job-db-drop.yaml
+++ b/charts/keystone/templates/job-db-drop.yaml
@@ -17,5 +17,8 @@
 {{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
diff --git a/charts/keystone/templates/job-db-init.yaml b/charts/keystone/templates/job-db-init.yaml
index 53e9573..757b705 100644
--- a/charts/keystone/templates/job-db-init.yaml
+++ b/charts/keystone/templates/job-db-init.yaml
@@ -24,5 +24,8 @@
 {{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
diff --git a/charts/keystone/templates/job-db-sync.yaml b/charts/keystone/templates/job-db-sync.yaml
index c3e7315..a4ff67d 100644
--- a/charts/keystone/templates/job-db-sync.yaml
+++ b/charts/keystone/templates/job-db-sync.yaml
@@ -79,5 +79,8 @@
 {{- end }}
 {{- $podEnvVars := tuple . | include "keystone.templates._job_db_sync.env_vars" | toString | fromYaml }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "keystone" "podVolMounts" $local.podVolMounts "podVols" $local.podVols "podEnvVars" $podEnvVars.env "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
diff --git a/charts/keystone/templates/job-domain-manage.yaml b/charts/keystone/templates/job-domain-manage.yaml
index 5a1c8e2..8acd192 100644
--- a/charts/keystone/templates/job-domain-manage.yaml
+++ b/charts/keystone/templates/job-domain-manage.yaml
@@ -44,6 +44,9 @@
       serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "domain_manage" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
       initContainers:
diff --git a/charts/keystone/templates/job-fernet-setup.yaml b/charts/keystone/templates/job-fernet-setup.yaml
index 786772d..1505ffa 100644
--- a/charts/keystone/templates/job-fernet-setup.yaml
+++ b/charts/keystone/templates/job-fernet-setup.yaml
@@ -78,6 +78,9 @@
       initContainers:
 {{ tuple $envAll "fernet_setup" $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
+{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
       containers:
diff --git a/charts/keystone/templates/job-image-repo-sync.yaml b/charts/keystone/templates/job-image-repo-sync.yaml
index fd301c3..c8cfc5d 100644
--- a/charts/keystone/templates/job-image-repo-sync.yaml
+++ b/charts/keystone/templates/job-image-repo-sync.yaml
@@ -17,5 +17,8 @@
 
 {{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
 {{- $imageRepoSyncJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
 {{- end }}
diff --git a/charts/keystone/templates/job-rabbit-init.yaml b/charts/keystone/templates/job-rabbit-init.yaml
index 2bb258e..02390ad 100644
--- a/charts/keystone/templates/job-rabbit-init.yaml
+++ b/charts/keystone/templates/job-rabbit-init.yaml
@@ -22,5 +22,8 @@
 {{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.keystone.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
 {{- end }}
diff --git a/charts/keystone/templates/pdb.yaml b/charts/keystone/templates/pdb.yaml
index 975a098..65f171b 100644
--- a/charts/keystone/templates/pdb.yaml
+++ b/charts/keystone/templates/pdb.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_api }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: keystone-api
diff --git a/charts/keystone/templates/pod-rally-test.yaml b/charts/keystone/templates/pod-rally-test.yaml
index c3730cc..ad5b23a 100644
--- a/charts/keystone/templates/pod-rally-test.yaml
+++ b/charts/keystone/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.deployment_name "-test" }}
   labels:
 {{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -79,7 +85,7 @@
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.deployment_name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/keystone/templates/secret-registry.yaml
similarity index 71%
copy from charts/nova/templates/bin/_nova-consoleauth.sh.tpl
copy to charts/keystone/templates/secret-registry.yaml
index 97c4195..da979b3 100644
--- a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
+++ b/charts/keystone/templates/secret-registry.yaml
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +12,6 @@
 limitations under the License.
 */}}
 
-set -x
-exec nova-consoleauth \
-      --config-file /etc/nova/nova.conf
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/keystone/templates/service-api.yaml b/charts/keystone/templates/service-api.yaml
index 5fb0112..21f9f3c 100644
--- a/charts/keystone/templates/service-api.yaml
+++ b/charts/keystone/templates/service-api.yaml
@@ -21,9 +21,8 @@
   name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
   ports:
-  {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     - name: ks-pub
-      port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
       {{ if .Values.network.api.node_port.enabled }}
       nodePort: {{ .Values.network.api.node_port.port }}
       {{ end }}
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
index 301ff6f..69546b5 100644
--- a/charts/keystone/values.yaml
+++ b/charts/keystone/values.yaml
@@ -68,7 +68,6 @@
           --domain="${OS_DEFAULT_DOMAIN}" \
           "admin"
 
-
 network:
   api:
     ingress:
@@ -217,6 +216,13 @@
         default: kubernetes.io/hostname
       weight:
         default: 10
+  tolerations:
+    keystone:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
   mounts:
     keystone_db_init:
       init_container: null
@@ -766,7 +772,7 @@
       ThreadLimit         720
     </IfModule>
   wsgi_keystone: |
-    {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 
     Listen 0.0.0.0:{{ $portInt }}
 
@@ -894,6 +900,8 @@
       api:
         public: keystone-tls-public
         internal: keystone-tls-api
+  oci_image_registry:
+    keystone: keystone-oci-image-registry
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -912,6 +920,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      keystone:
+        username: keystone
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     namespace: null
     name: keystone
@@ -949,12 +972,14 @@
       default: /v3
     scheme:
       default: http
+      service: http
     port:
       api:
         default: 80
         # NOTE(portdirect): to retain portability across images, and allow
         # running under a unprivileged user simply, we default to a port > 1000.
         internal: 5000
+        service: 5000
   oslo_db:
     namespace: null
     auth:
@@ -1064,6 +1089,11 @@
       ingress:
         default: 80
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
@@ -1091,6 +1121,7 @@
   secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
+  secret_registry: true
   service_ingress_api: true
   service_api: true
 ...
diff --git a/charts/neutron/templates/configmap-etc.yaml b/charts/neutron/templates/configmap-etc.yaml
index 36af849..9266081 100644
--- a/charts/neutron/templates/configmap-etc.yaml
+++ b/charts/neutron/templates/configmap-etc.yaml
@@ -93,6 +93,29 @@
 {{- $_ := set $envAll.Values.conf.neutron.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
 {{- end -}}
 
+{{- if empty $envAll.Values.conf.neutron.placement.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.placement "auth_url" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.placement.region_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "region_name" $envAll.Values.endpoints.identity.auth.placement.region_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.placement.project_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "project_name" $envAll.Values.endpoints.identity.auth.placement.project_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.placement.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "project_domain_name" $envAll.Values.endpoints.identity.auth.placement.project_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.placement.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "user_domain_name" $envAll.Values.endpoints.identity.auth.placement.user_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.placement.username -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "username" $envAll.Values.endpoints.identity.auth.placement.username -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.placement.password -}}
+{{- $_ := set $envAll.Values.conf.neutron.placement "password" $envAll.Values.endpoints.identity.auth.placement.password -}}
+{{- end -}}
+
 {{- if empty $envAll.Values.conf.neutron.octavia.base_url -}}
 {{- $_ := tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.octavia "base_url" -}}
 {{- end }}
diff --git a/charts/neutron/values.yaml b/charts/neutron/values.yaml
index 0fb2645..57a93a8 100644
--- a/charts/neutron/values.yaml
+++ b/charts/neutron/values.yaml
@@ -1728,6 +1728,10 @@
       auth_type: password
       auth_version: v3
       endpoint_type: internal
+    placement:
+      auth_type: password
+      auth_version: v3
+      endpoint_type: internal
     designate:
       auth_type: password
       auth_version: v3
@@ -2189,6 +2193,13 @@
         password: password
         user_domain_name: service
         project_domain_name: service
+      placement:
+        region_name: RegionOne
+        project_name: service
+        username: placement
+        password: password
+        user_domain_name: service
+        project_domain_name: service
       designate:
         region_name: RegionOne
         project_name: service
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
index e43c866..818a9b9 100644
--- a/charts/nova/Chart.yaml
+++ b/charts/nova/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/nova
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.32
+version: 0.3.1
diff --git a/charts/nova/charts/helm-toolkit/Chart.yaml b/charts/nova/charts/helm-toolkit/Chart.yaml
index 751c291..c1296b9 100644
--- a/charts/nova/charts/helm-toolkit/Chart.yaml
+++ b/charts/nova/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.38
+version: 0.2.51
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index db12915..9597d34 100644
--- a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,52 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -253,6 +305,16 @@
   return 1
 }
 
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
 # This function takes a list of archives' names as an input
 # and creates a hash table where keys are number of seconds
 # between current date and archive date (see seconds_difference),
@@ -271,21 +333,6 @@
 # possible case, when we have several backups of the same date. E.g.
 # one manual, and one automatic.
 
-function get_archive_date(){
-# get_archive_date function returns correct archive date
-# for different formats of archives' names
-# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
-# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
-local A_FILE="$1"
-local A_DATE=""
-if [[ -z ${BACK_UP_MODE} ]]; then
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
-else
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
-fi
-echo ${A_DATE}
-}
-
 declare -A fileTable
 create_hash_table() {
 unset fileTable
@@ -329,33 +376,6 @@
 }
 
 remove_old_local_archives() {
-  if [[ -d $ARCHIVE_DIR ]]; then
-    count=0
-    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
-    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
-    # We iterate over the hash table, checking the delta in seconds (hash keys),
-    # and minimum number of backups we must have in place. List of keys has to be sorted.
-    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
-      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
-        ((count++))
-        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
-      else
-        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
-          rm -rf $ARCHIVE_FILE
-          if [[ $? -ne 0 ]]; then
-            # Log error but don't exit so we can finish the script
-            # because at this point we haven't sent backup to RGW yet
-            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
-          fi
-      fi
-    done
-  else
-    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
-  fi
-}
-
-remove_old_local_archives() {
   SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
   if [[ -d $ARCHIVE_DIR ]]; then
@@ -400,8 +420,8 @@
   count=0
   SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
-  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
     if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
       ((count++))
       log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
@@ -414,10 +434,12 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-  if [[ -f fd ]]; then
-    rm -f fd
-  else
-    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
 }
 
 # Main function to backup the databases. Calling functions need to supply:
@@ -474,10 +496,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -489,6 +507,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -517,8 +554,12 @@
     #Only delete the old archive after a successful archive
     if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
       prepare_list_of_remote_backups
-      create_hash_table $(cat $DB_BACKUP_FILES)
-      remove_old_remote_archives
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
     fi
 
     echo "=================================================================="
@@ -537,4 +578,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
index aa656c1..8ca1028 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -49,7 +49,7 @@
 {{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
 {{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
 {{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
-{{- $mapName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
 {{- if $envAll.Values.conf.apparmor_profiles }}
 ---
 apiVersion: v1
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
index c5e07ee..baebaa3 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -42,7 +42,7 @@
 {{- $envAll := index . "envAll" -}}
 {{- $component := index . "component" -}}
 {{- $requireSys := index . "requireSys" | default false -}}
-{{- $configName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
 {{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
 {{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
 {{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
index b8493b3..48b53fa 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -37,7 +37,7 @@
 {{- $envAll := index . 0 -}}
 {{- $application := index . 1 -}}
 {{- $component := index . 2 -}}
-release_group: {{ $envAll.Values.release_group | default $envAll.Chart.Name }}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
 application: {{ $application }}
 component: {{ $component }}
 {{- if ($envAll.Values.pod).labels }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
index f1ad580..fabbcf8 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -53,7 +53,7 @@
 {{- $envAll := index . "envAll" -}}
 {{- $application := index . "application" -}}
 {{- $component := index . "component" -}}
-{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Chart.Name ) ) -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In"  "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
 {{- $expressionApplication := dict "key" "application" "operator" "In"  "values" ( list $application ) -}}
 {{- $expressionComponent := dict "key" "component" "operator" "In"  "values" ( list $component ) -}}
 {{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
index c2576d5..90a7a65 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -17,7 +17,7 @@
 {{- $deps := index . 1 -}}
 {{- $saName := index . 2 | replace "_" "-" }}
 {{- $saNamespace := index . 3 -}}
-{{- $releaseName := $envAll.Chart.Name }}
+{{- $releaseName := $envAll.Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
index 7fa180a..6e9d5a1 100644
--- a/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -28,7 +28,7 @@
         {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
       config_to_complete:
         #here we can fill out params, but things need to be valid yaml as input
-        '{{ .Chart.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+        '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
       static_config:
         #this is just passed though as yaml to the configmap
         foo: bar
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
index d66663f..885a86c 100644
--- a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -40,7 +40,7 @@
 - name: {{ $key }}
   valueFrom:
     secretKeyRef:
-      name: {{ printf "%s-%s" $context.Chart.Name "env-secret" | quote }}
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
       key: {{ $key }}
 {{ end -}}
 {{- end -}}
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
index 159c53a..75ab5ad 100644
--- a/charts/nova/requirements.lock
+++ b/charts/nova/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.38
-digest: sha256:5e8c9ccd0834d092abdcf29f1a6d79c906d4aa9f61c375d617f69a342c40747f
-generated: "2022-03-25T19:12:55.919908558Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:09:59.565900423Z"
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
index 0185319..4034df7 100644
--- a/charts/nova/templates/bin/_health-probe.py.tpl
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -154,7 +154,6 @@
     dict_services = {
         "compute": "nova-compute",
         "conductor": "nova-conductor",
-        "consoleauth": "nova-consoleaut",
         "scheduler": "nova-scheduler"
     }
     r_ports, d_ports = configured_port_in_conf()
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
index 6218d29..1663692 100644
--- a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
+++ b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
@@ -51,6 +51,7 @@
 [vnc]
 vncserver_proxyclient_address = $client_address
 vncserver_listen = $listen_ip
+novncproxy_host = $listen_ip
 EOF
 elif [ "${console_kind}" == "spice" ] ; then
 cat <<EOF>/tmp/pod-shared/nova-spice.ini
diff --git a/charts/nova/templates/bin/_nova-placement-api.sh.tpl b/charts/nova/templates/bin/_nova-placement-api.sh.tpl
deleted file mode 100644
index 762af44..0000000
--- a/charts/nova/templates/bin/_nova-placement-api.sh.tpl
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-COMMAND="${@:-start}"
-
-function start () {
-
-  cp -a $(type -p nova-placement-api) /var/www/cgi-bin/nova/
-
-  if [ -f /etc/apache2/envvars ]; then
-    # Loading Apache2 ENV variables
-    source /etc/apache2/envvars
-    # The directory below has to be created due to the fact that
-    # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
-    if [ ! -d ${APACHE_RUN_DIR} ]; then
-      mkdir -p ${APACHE_RUN_DIR}
-    fi
-  fi
-
-  # Start Apache2
-  {{- if .Values.conf.software.apache2.a2enmod }}
-    {{- range .Values.conf.software.apache2.a2enmod }}
-  a2enmod {{ . }}
-    {{- end }}
-  {{- end }}
-  {{- if .Values.conf.software.apache2.a2dismod }}
-    {{- range .Values.conf.software.apache2.a2dismod }}
-  a2dismod {{ . }}
-    {{- end }}
-  {{- end }}
-  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-}
-
-function stop () {
-  if [ -f /etc/apache2/envvars ]; then
-    source /etc/apache2/envvars
-  fi
-  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-}
-
-$COMMAND
diff --git a/charts/nova/templates/configmap-bin.yaml b/charts/nova/templates/configmap-bin.yaml
index 141130a..90a91a9 100644
--- a/charts/nova/templates/configmap-bin.yaml
+++ b/charts/nova/templates/configmap-bin.yaml
@@ -69,8 +69,6 @@
 {{ tuple "bin/_nova-api-metadata.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-api-metadata-init.sh: |
 {{ tuple "bin/_nova-api-metadata-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  nova-placement-api.sh: |
-{{ tuple "bin/_nova-placement-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-compute.sh: |
 {{ tuple "bin/_nova-compute.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-compute-init.sh: |
@@ -79,8 +77,6 @@
 {{ tuple "bin/_nova-compute-ironic.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-conductor.sh: |
 {{ tuple "bin/_nova-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  nova-consoleauth.sh: |
-{{ tuple "bin/_nova-consoleauth.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-scheduler.sh: |
 {{ tuple "bin/_nova-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   fake-iptables.sh: |
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
index c92fd93..12ad86c 100644
--- a/charts/nova/templates/configmap-etc.yaml
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -11,6 +11,11 @@
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
 
 {{- define "nova.configmap.etc" }}
 {{- $configMapName := index . 0 }}
@@ -236,13 +241,13 @@
 {{- end -}}
 
 {{- if empty .Values.conf.nova.DEFAULT.osapi_compute_listen_port -}}
-{{- $_ := tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "osapi_compute_listen_port" -}}
+{{- $_ := tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "osapi_compute_listen_port" -}}
 {{- end -}}
 
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}
@@ -278,7 +283,6 @@
   logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
   api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
   nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
 {{- if .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
diff --git a/charts/nova/templates/cron-job-archive-deleted-rows.yaml b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
index 7baa330..7316b3a 100644
--- a/charts/nova/templates/cron-job-archive-deleted-rows.yaml
+++ b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
@@ -18,7 +18,7 @@
 {{- $serviceAccountName := "nova-archive-deleted-rows-cron" }}
 {{ tuple $envAll "archive_deleted_rows" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: nova-archive-deleted-rows
@@ -47,6 +47,9 @@
           restartPolicy: OnFailure
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           initContainers:
 {{ tuple $envAll "archive-deleted-rows" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           containers:
@@ -56,6 +59,11 @@
 {{ dict "envAll" $envAll "application" "archive_deleted_rows" "container" "nova_archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
               command:
                 - /tmp/archive-deleted-rows.sh
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+              env:
+                - name: REQUESTS_CA_BUNDLE
+                  value: "/etc/nova/certs/ca.crt"
+{{- end }}
               volumeMounts:
                 - name: pod-tmp
                   mountPath: /tmp
@@ -71,6 +79,7 @@
                   mountPath: /tmp/archive-deleted-rows.sh
                   readOnly: true
                   subPath: archive-deleted-rows.sh
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
           volumes:
             - name: pod-tmp
@@ -82,4 +91,6 @@
             - name: archive-deleted-rows-conf
               secret:
                 secretName: nova-etc
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- end }}
diff --git a/charts/nova/templates/cron-job-cell-setup.yaml b/charts/nova/templates/cron-job-cell-setup.yaml
index 18b661a..b90b84e 100644
--- a/charts/nova/templates/cron-job-cell-setup.yaml
+++ b/charts/nova/templates/cron-job-cell-setup.yaml
@@ -18,7 +18,7 @@
 {{- $serviceAccountName := "nova-cell-setup-cron" }}
 {{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: nova-cell-setup
@@ -47,6 +47,9 @@
           restartPolicy: OnFailure
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           initContainers:
 {{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           containers:
@@ -56,6 +59,11 @@
 {{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
               command:
                 - /tmp/cell-setup.sh
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+              env:
+                - name: REQUESTS_CA_BUNDLE
+                  value: "/etc/nova/certs/ca.crt"
+{{- end }}
               volumeMounts:
                 - name: pod-tmp
                   mountPath: /tmp
@@ -79,7 +87,9 @@
                   mountPath: /etc/nova/policy.yaml
                   subPath: policy.yaml
                   readOnly: true
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+
           volumes:
             - name: pod-tmp
               emptyDir: {}
@@ -93,5 +103,7 @@
               configMap:
                 name: nova-bin
                 defaultMode: 0555
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+
 {{- end }}
diff --git a/charts/nova/templates/cron-job-service-cleaner.yaml b/charts/nova/templates/cron-job-service-cleaner.yaml
index bbe3fab..dd61db7 100644
--- a/charts/nova/templates/cron-job-service-cleaner.yaml
+++ b/charts/nova/templates/cron-job-service-cleaner.yaml
@@ -18,7 +18,7 @@
 {{- $serviceAccountName := "nova-service-cleaner" }}
 {{ tuple $envAll "service_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: nova-service-cleaner
@@ -47,6 +47,9 @@
           restartPolicy: OnFailure
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           initContainers:
 {{ tuple $envAll "service_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           containers:
@@ -55,7 +58,7 @@
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
 {{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
               env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
 {{- end }}
               command:
@@ -69,7 +72,7 @@
                   readOnly: true
                 - name: etcnova
                   mountPath: /etc/nova
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
           volumes:
             - name: pod-tmp
               emptyDir: {}
@@ -83,5 +86,5 @@
               configMap:
                 name: nova-bin
                 defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- end }}
diff --git a/charts/nova/templates/daemonset-compute.yaml b/charts/nova/templates/daemonset-compute.yaml
index e600e58..f6bab51 100644
--- a/charts/nova/templates/daemonset-compute.yaml
+++ b/charts/nova/templates/daemonset-compute.yaml
@@ -78,6 +78,9 @@
 {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -273,7 +276,7 @@
               value: "{{ .Values.pod.probes.rpc_timeout }}"
             - name: RPC_PROBE_RETRIES
               value: "{{ .Values.pod.probes.rpc_retries }}"
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/nova/certs/ca.crt"
 {{- end }}
@@ -428,7 +431,7 @@
               subPath: tf-plugin.pth
               readOnly: true
             {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{- if .Values.network.ssh.enabled }}
@@ -441,7 +444,7 @@
               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
             - name: SSH_PORT
               value: {{ .Values.network.ssh.port | quote }}
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/nova/certs/ca.crt"
 {{- end }}
@@ -457,7 +460,7 @@
               mountPath: /tmp/ssh-start.sh
               subPath: ssh-start.sh
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
         {{ end }}
       volumes:
@@ -543,7 +546,7 @@
         - name: tf-plugin-bin
           emptyDir: {}
         {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/templates/deployment-api-metadata.yaml b/charts/nova/templates/deployment-api-metadata.yaml
index c663a23..e7039f5 100644
--- a/charts/nova/templates/deployment-api-metadata.yaml
+++ b/charts/nova/templates/deployment-api-metadata.yaml
@@ -13,12 +13,16 @@
 */}}
 
 {{- define "novaApiMetadataLivenessProbeTemplate" }}
-tcpSocket:
+httpGet:
+  scheme: {{ tuple "compute_metadata" "service" "metadata" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
   port: {{ .Values.network.metadata.port }}
 {{- end }}
 
 {{- define "novaApiMetadataReadinessProbeTemplate" }}
-tcpSocket:
+httpGet:
+  scheme: {{ tuple "compute_metadata" "service" "metadata" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
   port: {{ .Values.network.metadata.port }}
 {{- end }}
 
@@ -61,6 +65,9 @@
 {{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.api_metadata.node_selector_key }}: {{ .Values.labels.api_metadata.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.metadata.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api_metadata" $mounts_nova_api_metadata_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
@@ -88,6 +95,11 @@
 {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/nova-api-metadata.sh
             - start
@@ -179,7 +191,7 @@
               readOnly: true
             {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -199,6 +211,6 @@
         - name: pod-shared
           emptyDir: {}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/templates/deployment-api-osapi.yaml b/charts/nova/templates/deployment-api-osapi.yaml
index 41c1faf..4cb6744 100644
--- a/charts/nova/templates/deployment-api-osapi.yaml
+++ b/charts/nova/templates/deployment-api-osapi.yaml
@@ -13,13 +13,17 @@
 */}}
 
 {{- define "novaApiOsapiLivenessProbeTemplate" }}
-tcpSocket:
-  port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+httpGet:
+  scheme: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
+  port: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 {{- end }}
 
 {{- define "novaApiOsapiReadinessProbeTemplate" }}
-tcpSocket:
-  port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+httpGet:
+  scheme: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+  path: /
+  port: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 {{- end }}
 
 {{- if .Values.manifests.deployment_api_osapi }}
@@ -61,6 +65,9 @@
 {{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.osapi.node_selector_key }}: {{ .Values.labels.osapi.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.osapi.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_nova_api_osapi_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
@@ -69,6 +76,11 @@
 {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/nova-api.sh
             - start
@@ -80,7 +92,7 @@
                   - stop
           ports:
             - name: n-api
-              containerPort: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
 {{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "liveness" "probeTemplate" (include "novaApiOsapiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
 {{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "readiness" "probeTemplate" (include "novaApiOsapiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           volumeMounts:
@@ -127,7 +139,7 @@
               readOnly: true
             {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -148,7 +160,7 @@
             secretName: nova-etc
             defaultMode: 0444
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/templates/deployment-conductor.yaml b/charts/nova/templates/deployment-conductor.yaml
index 5335a4c..df07583 100644
--- a/charts/nova/templates/deployment-conductor.yaml
+++ b/charts/nova/templates/deployment-conductor.yaml
@@ -74,6 +74,9 @@
 {{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "conductor" $mounts_nova_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
@@ -88,7 +91,7 @@
               value: "{{ .Values.pod.probes.rpc_timeout }}"
             - name: RPC_PROBE_RETRIES
               value: "{{ .Values.pod.probes.rpc_retries }}"
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/nova/certs/ca.crt"
 {{- end }}
@@ -119,7 +122,7 @@
               mountPath: /etc/nova/policy.yaml
               subPath: policy.yaml
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
@@ -134,7 +137,7 @@
           secret:
             secretName: nova-etc
             defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
diff --git a/charts/nova/templates/deployment-consoleauth.yaml b/charts/nova/templates/deployment-consoleauth.yaml
deleted file mode 100644
index c4a781f..0000000
--- a/charts/nova/templates/deployment-consoleauth.yaml
+++ /dev/null
@@ -1,133 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "novaConsoleauthLivenessProbeTemplate" }}
-exec:
-  command:
-    - python
-    - /tmp/health-probe.py
-    - --config-file
-    - /etc/nova/nova.conf
-    - --service-queue-name
-    - consoleauth
-    - --liveness-probe
-{{- end }}
-
-{{- define "novaConsoleauthReadinessProbeTemplate" }}
-exec:
-  command:
-    - python
-    - /tmp/health-probe.py
-    - --config-file
-    - /etc/nova/nova.conf
-    - --service-queue-name
-    - consoleauth
-{{- end }}
-
-{{- if .Values.manifests.deployment_consoleauth }}
-{{- $envAll := . }}
-
-{{- $mounts_nova_consoleauth := .Values.pod.mounts.nova_consoleauth.nova_consoleauth }}
-{{- $mounts_nova_consoleauth_init := .Values.pod.mounts.nova_consoleauth.init_container }}
-
-{{- $serviceAccountName := "nova-consoleauth" }}
-{{ tuple $envAll "consoleauth" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nova-consoleauth
-  annotations:
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-  labels:
-{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-spec:
-  replicas: {{ .Values.pod.replicas.consoleauth }}
-  selector:
-    matchLabels:
-{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
-  template:
-    metadata:
-      labels:
-{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-      annotations:
-{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "nova-consoleauth" "containerNames" (list "nova-consoleauth" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
-    spec:
-      serviceAccountName: {{ $serviceAccountName }}
-{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
-      affinity:
-{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
-      nodeSelector:
-        {{ .Values.labels.consoleauth.node_selector_key }}: {{ .Values.labels.consoleauth.node_selector_value }}
-      initContainers:
-{{ tuple $envAll "consoleauth" $mounts_nova_consoleauth_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
-      containers:
-        - name: nova-consoleauth
-{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "liveness" "probeTemplate" (include "novaConsoleauthLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "readiness" "probeTemplate" (include "novaConsoleauthReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-          env:
-            - name: RPC_PROBE_TIMEOUT
-              value: "{{ .Values.pod.probes.rpc_timeout }}"
-            - name: RPC_PROBE_RETRIES
-              value: "{{ .Values.pod.probes.rpc_retries }}"
-          command:
-            - /tmp/nova-consoleauth.sh
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: nova-bin
-              mountPath: /tmp/nova-consoleauth.sh
-              subPath: nova-consoleauth.sh
-              readOnly: true
-            - name: nova-bin
-              mountPath: /tmp/health-probe.py
-              subPath: health-probe.py
-              readOnly: true
-            - name: nova-etc
-              mountPath: /etc/nova/nova.conf
-              subPath: nova.conf
-              readOnly: true
-            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
-            - name: nova-etc
-              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
-              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
-              readOnly: true
-            {{- end }}
-            - name: nova-etc
-              mountPath: /etc/nova/policy.yaml
-              subPath: policy.yaml
-              readOnly: true
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
-      volumes:
-        - name: pod-tmp
-          emptyDir: {}
-        - name: nova-bin
-          configMap:
-            name: nova-bin
-            defaultMode: 0555
-        - name: nova-etc
-          secret:
-            secretName: nova-etc
-            defaultMode: 0444
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
-{{- end }}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
index 68db32a..517005d 100644
--- a/charts/nova/templates/deployment-novncproxy.yaml
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -61,6 +61,9 @@
 {{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.novncproxy.node_selector_key }}: {{ .Values.labels.novncproxy.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
 {{- if .Values.pod.useHostNetwork.novncproxy }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
diff --git a/charts/nova/templates/deployment-placement.yaml b/charts/nova/templates/deployment-placement.yaml
deleted file mode 100644
index 1391cd9..0000000
--- a/charts/nova/templates/deployment-placement.yaml
+++ /dev/null
@@ -1,142 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "novaPlacementLivenessProbeTemplate" }}
-tcpSocket:
-  port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- end }}
-
-{{- define "novaPlacementReadinessProbeTemplate" }}
-#NOTE(portdirect): use tcpSocket check as HTTP will return 401
-tcpSocket:
-  port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- end }}
-
-{{- if .Values.manifests.deployment_placement }}
-{{- $envAll := . }}
-
-{{- $mounts_nova_placement := .Values.pod.mounts.nova_placement.nova_placement }}
-{{- $mounts_nova_placement_init := .Values.pod.mounts.nova_placement.init_container }}
-
-{{- $serviceAccountName := "nova-placement-api" }}
-{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nova-placement-api
-  annotations:
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-  labels:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-spec:
-  replicas: {{ .Values.pod.replicas.placement }}
-  selector:
-    matchLabels:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
-  template:
-    metadata:
-      labels:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-      annotations:
-{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "nova-placement" "containerNames" (list "nova-placement-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
-    spec:
-      serviceAccountName: {{ $serviceAccountName }}
-      affinity:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
-      nodeSelector:
-        {{ .Values.labels.placement.node_selector_key }}: {{ .Values.labels.placement.node_selector_value }}
-      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.placement.timeout | default "30" }}
-      initContainers:
-{{ tuple $envAll "api" $mounts_nova_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
-      containers:
-        - name: nova-placement-api
-{{ tuple $envAll "nova_placement" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.placement | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "nova" "container" "nova_placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/nova-placement-api.sh
-            - start
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                  - /tmp/nova-placement-api.sh
-                  - stop
-          ports:
-            - name: p-api
-              containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "liveness" "probeTemplate" (include "novaPlacementLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "readiness" "probeTemplate" (include "novaPlacementReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: wsgi-nova
-              mountPath: /var/www/cgi-bin/nova
-            - name: nova-bin
-              mountPath: /tmp/nova-placement-api.sh
-              subPath: nova-placement-api.sh
-              readOnly: true
-            - name: nova-etc
-              mountPath: /etc/nova/nova.conf
-              subPath: nova.conf
-              readOnly: true
-            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
-            - name: nova-etc
-              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
-              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
-              readOnly: true
-            {{- end }}
-            - name: nova-etc
-              mountPath: /etc/nova/api-paste.ini
-              subPath: api-paste.ini
-              readOnly: true
-            - name: nova-etc
-              mountPath: /etc/nova/policy.yaml
-              subPath: policy.yaml
-              readOnly: true
-            - name: nova-etc
-              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-nova-placement.conf
-              subPath: wsgi-nova-placement.conf
-              readOnly: true
-{{- if .Values.conf.security }}
-            - name: nova-etc
-              mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
-              subPath: security.conf
-              readOnly: true
-{{- end }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
-      volumes:
-        - name: pod-tmp
-          emptyDir: {}
-        - name: wsgi-nova
-          emptyDir: {}
-        - name: nova-bin
-          configMap:
-            name: nova-bin
-            defaultMode: 0555
-        - name: nova-etc
-          secret:
-            secretName: nova-etc
-            defaultMode: 0444
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
-{{- end }}
diff --git a/charts/nova/templates/deployment-scheduler.yaml b/charts/nova/templates/deployment-scheduler.yaml
index b8a465e..e8a63a2 100644
--- a/charts/nova/templates/deployment-scheduler.yaml
+++ b/charts/nova/templates/deployment-scheduler.yaml
@@ -74,6 +74,9 @@
 {{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "scheduler" $mounts_nova_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
@@ -88,7 +91,7 @@
               value: "{{ .Values.pod.probes.rpc_timeout }}"
             - name: RPC_PROBE_RETRIES
               value: "{{ .Values.pod.probes.rpc_retries }}"
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/nova/certs/ca.crt"
 {{- end }}
@@ -120,7 +123,7 @@
               subPath: policy.yaml
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -135,7 +138,7 @@
             secretName: nova-etc
             defaultMode: 0444
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/templates/deployment-spiceproxy.yaml b/charts/nova/templates/deployment-spiceproxy.yaml
index 98046a0..e430d25 100644
--- a/charts/nova/templates/deployment-spiceproxy.yaml
+++ b/charts/nova/templates/deployment-spiceproxy.yaml
@@ -60,6 +60,9 @@
 {{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.spiceproxy.node_selector_key }}: {{ .Values.labels.spiceproxy.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       initContainers:
diff --git a/charts/nova/templates/ingress-placement.yaml b/charts/nova/templates/ingress-placement.yaml
deleted file mode 100644
index 28b0f0d..0000000
--- a/charts/nova/templates/ingress-placement.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
-{{- $envAll := . -}}
-{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end }}
-{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
-{{- end }}
diff --git a/charts/nova/templates/job-bootstrap.yaml b/charts/nova/templates/job-bootstrap.yaml
index c105f56..eb5e602 100644
--- a/charts/nova/templates/job-bootstrap.yaml
+++ b/charts/nova/templates/job-bootstrap.yaml
@@ -16,6 +16,7 @@
 {{- if and $envAll.Values.manifests.job_bootstrap $envAll.Values.bootstrap.enabled }}
 {{- $serviceName := "nova" -}}
 {{- $keystoneUser := $envAll.Values.bootstrap.ks_user -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $configMapBin := printf "%s-%s" $serviceName "bin" -}}
 {{- $configMapEtc := printf "%s-%s" $serviceName "etc" -}}
 {{- $configFile := printf "/etc/%s/%s.conf" $serviceName $serviceName -}}
@@ -31,6 +32,7 @@
   labels:
 {{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
+  backoffLimit: {{ $backoffLimit }}
   template:
     metadata:
       labels:
@@ -43,6 +45,9 @@
       restartPolicy: OnFailure
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
 {{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
@@ -68,7 +73,7 @@
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: WAIT_PERCENTAGE
@@ -96,7 +101,7 @@
               mountPath: {{ $logConfigFile | quote }}
               subPath: {{ base $logConfigFile | quote }}
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -110,7 +115,7 @@
           secret:
             secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/charts/nova/templates/job-cell-setup.yaml b/charts/nova/templates/job-cell-setup.yaml
index cdcdf25..1ba49cb 100644
--- a/charts/nova/templates/job-cell-setup.yaml
+++ b/charts/nova/templates/job-cell-setup.yaml
@@ -38,6 +38,9 @@
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
 {{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
@@ -61,7 +64,7 @@
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
           command:
@@ -73,12 +76,17 @@
               mountPath: /tmp/cell-setup-init.sh
               subPath: cell-setup-init.sh
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       containers:
         - name: nova-cell-setup
 {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/nova/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/cell-setup.sh
           volumeMounts:
@@ -105,6 +113,7 @@
               subPath: policy.yaml
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -119,7 +128,7 @@
             name: nova-bin
             defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/charts/nova/templates/job-db-drop.yaml b/charts/nova/templates/job-db-drop.yaml
index 9a6b1a0..b0471ef 100644
--- a/charts/nova/templates/job-db-drop.yaml
+++ b/charts/nova/templates/job-db-drop.yaml
@@ -22,5 +22,8 @@
 {{- if .Values.manifests.certificates -}}
 {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
diff --git a/charts/nova/templates/job-db-init.yaml b/charts/nova/templates/job-db-init.yaml
index b1ca870..72b0a80 100644
--- a/charts/nova/templates/job-db-init.yaml
+++ b/charts/nova/templates/job-db-init.yaml
@@ -30,5 +30,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
diff --git a/charts/nova/templates/job-db-sync.yaml b/charts/nova/templates/job-db-sync.yaml
index 3cd8cac..061e18f 100644
--- a/charts/nova/templates/job-db-sync.yaml
+++ b/charts/nova/templates/job-db-sync.yaml
@@ -46,5 +46,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
diff --git a/charts/nova/templates/job-image-repo-sync.yaml b/charts/nova/templates/job-image-repo-sync.yaml
index fe488dd..e2ee66d 100644
--- a/charts/nova/templates/job-image-repo-sync.yaml
+++ b/charts/nova/templates/job-image-repo-sync.yaml
@@ -21,5 +21,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
 {{- end }}
diff --git a/charts/nova/templates/job-ks-endpoints.yaml b/charts/nova/templates/job-ks-endpoints.yaml
index 5057ebc..1e41ec4 100644
--- a/charts/nova/templates/job-ks-endpoints.yaml
+++ b/charts/nova/templates/job-ks-endpoints.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
diff --git a/charts/nova/templates/job-ks-placement-endpoints.yaml b/charts/nova/templates/job-ks-placement-endpoints.yaml
deleted file mode 100644
index 2147f3c..0000000
--- a/charts/nova/templates/job-ks-placement-endpoints.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.job_ks_placement_endpoints }}
-{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
-{{- end -}}
-{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
-{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-service.yaml b/charts/nova/templates/job-ks-placement-service.yaml
deleted file mode 100644
index c2c8865..0000000
--- a/charts/nova/templates/job-ks-placement-service.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.job_ks_placement_service }}
-{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
-{{- end -}}
-{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
-{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-user.yaml b/charts/nova/templates/job-ks-placement-user.yaml
deleted file mode 100644
index 035c2f0..0000000
--- a/charts/nova/templates/job-ks-placement-user.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.job_ks_placement_user }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}}
-{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
-{{- end -}}
-{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
-{{- end }}
diff --git a/charts/nova/templates/job-ks-service.yaml b/charts/nova/templates/job-ks-service.yaml
index d9eb3b5..9e7a551 100644
--- a/charts/nova/templates/job-ks-service.yaml
+++ b/charts/nova/templates/job-ks-service.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
 {{- end }}
diff --git a/charts/nova/templates/job-ks-user.yaml b/charts/nova/templates/job-ks-user.yaml
index e5613cc..7d0f019 100644
--- a/charts/nova/templates/job-ks-user.yaml
+++ b/charts/nova/templates/job-ks-user.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/charts/nova/templates/job-rabbit-init.yaml b/charts/nova/templates/job-rabbit-init.yaml
index ffbb270..b5133d3 100644
--- a/charts/nova/templates/job-rabbit-init.yaml
+++ b/charts/nova/templates/job-rabbit-init.yaml
@@ -25,5 +25,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.nova.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
 {{- end }}
diff --git a/charts/nova/templates/netpol-placement.yaml b/charts/nova/templates/netpol-placement.yaml
deleted file mode 100644
index 18feb04..0000000
--- a/charts/nova/templates/netpol-placement.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.network_policy -}}
-{{- if .Values.manifests.deployment_placement -}}
-{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
-{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
-{{- end -}}
-{{- end -}}
diff --git a/charts/nova/templates/pdb-metadata.yaml b/charts/nova/templates/pdb-metadata.yaml
index 6fba271..e2c9a12 100644
--- a/charts/nova/templates/pdb-metadata.yaml
+++ b/charts/nova/templates/pdb-metadata.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_metadata }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: nova-api-metadata
diff --git a/charts/nova/templates/pdb-osapi.yaml b/charts/nova/templates/pdb-osapi.yaml
index 81971d1..a095d5f 100644
--- a/charts/nova/templates/pdb-osapi.yaml
+++ b/charts/nova/templates/pdb-osapi.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_osapi }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: nova-api-osapi
diff --git a/charts/nova/templates/pdb-placement.yaml b/charts/nova/templates/pdb-placement.yaml
deleted file mode 100644
index db7e1c7..0000000
--- a/charts/nova/templates/pdb-placement.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.pdb_placement }}
-{{- $envAll := . }}
----
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
-  name: nova-placement-api
-spec:
-  minAvailable: {{ .Values.pod.lifecycle.disruption_budget.placement.min_available }}
-  selector:
-    matchLabels:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-{{- end }}
diff --git a/charts/nova/templates/pod-rally-test.yaml b/charts/nova/templates/pod-rally-test.yaml
index eabe8b6..d53f204 100644
--- a/charts/nova/templates/pod-rally-test.yaml
+++ b/charts/nova/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.nova_tests.nova_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.nova_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.deployment_name "-test" }}
   labels:
 {{ tuple $envAll "nova" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -34,6 +40,9 @@
 spec:
   nodeSelector:
     {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
   restartPolicy: Never
   serviceAccountName: {{ $serviceAccountName }}
   initContainers:
@@ -74,7 +83,7 @@
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.deployment_name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:
diff --git a/charts/nova/templates/secret-keystone-placement.yaml b/charts/nova/templates/secret-keystone-placement.yaml
deleted file mode 100644
index bdce9b5..0000000
--- a/charts/nova/templates/secret-keystone-placement.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.secret_keystone_placement }}
-{{- $envAll := . }}
-{{- range $key1, $userClass := tuple "placement" }}
-{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $secretName }}
-type: Opaque
-data:
-{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
-{{- end }}
-{{- end }}
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/nova/templates/secret-registry.yaml
similarity index 71%
copy from charts/nova/templates/bin/_nova-consoleauth.sh.tpl
copy to charts/nova/templates/secret-registry.yaml
index 97c4195..da979b3 100644
--- a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
+++ b/charts/nova/templates/secret-registry.yaml
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +12,6 @@
 limitations under the License.
 */}}
 
-set -x
-exec nova-consoleauth \
-      --config-file /etc/nova/nova.conf
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-placement.yaml b/charts/nova/templates/service-ingress-placement.yaml
deleted file mode 100644
index 5d9e6a6..0000000
--- a/charts/nova/templates/service-ingress-placement.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if and .Values.manifests.service_ingress_placement .Values.network.placement.ingress.public }}
-{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "placement" -}}
-{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
-{{- end }}
diff --git a/charts/nova/templates/service-osapi.yaml b/charts/nova/templates/service-osapi.yaml
index 91ab52c..4aa1d4f 100644
--- a/charts/nova/templates/service-osapi.yaml
+++ b/charts/nova/templates/service-osapi.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
   - name: n-api
-    port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    port: {{ tuple "compute" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.osapi.node_port.enabled }}
     nodePort: {{ .Values.network.osapi.node_port.port }}
     {{ end }}
diff --git a/charts/nova/templates/service-placement.yaml b/charts/nova/templates/service-placement.yaml
deleted file mode 100644
index 8e1f3d5..0000000
--- a/charts/nova/templates/service-placement.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.service_placement }}
-{{- $envAll := . }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ tuple "placement" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
-spec:
-  ports:
-  - name: p-api
-    port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{ if .Values.network.placement.node_port.enabled }}
-    nodePort: {{ .Values.network.placement.node_port.port }}
-    {{ end }}
-  selector:
-{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  {{ if .Values.network.placement.node_port.enabled }}
-  type: NodePort
-  {{ end }}
-{{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
index 7d4c1e5..8609d41 100644
--- a/charts/nova/values.yaml
+++ b/charts/nova/values.yaml
@@ -32,9 +32,6 @@
   conductor:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
-  consoleauth:
-    node_selector_key: openstack-control-plane
-    node_selector_value: enabled
   job:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
@@ -44,9 +41,6 @@
   osapi:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
-  placement:
-    node_selector_key: openstack-control-plane
-    node_selector_value: enabled
   scheduler:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
@@ -60,33 +54,31 @@
 images:
   pull_policy: IfNotPresent
   tags:
-    bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
     dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
     rabbit_init: docker.io/rabbitmq:3.7-management
-    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    nova_archive_deleted_rows: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    nova_api: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_cell_setup: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_cell_setup_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    nova_compute: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ocata'
-    nova_compute_ssh: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_conductor: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_consoleauth: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_db_sync: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_novncproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ocata'
-    nova_placement: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_scheduler: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    nova_archive_deleted_rows: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    nova_api: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_cell_setup: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_cell_setup_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    nova_compute: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:wallaby'
+    nova_compute_ssh: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_conductor: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_db_sync: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_novncproxy: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:wallaby'
+    nova_scheduler: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
     # NOTE(portdirect): we simply use the ceph config helper here,
     # as it has both oscli and jq.
-    nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial'
-    nova_spiceproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
-    nova_spiceproxy_assets: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+    nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_focal'
+    nova_spiceproxy: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_spiceproxy_assets: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
     test: docker.io/xrally/xrally-openstack:2.0.0
     image_repo_sync: docker.io/docker:17.07.0
     nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
@@ -240,18 +232,6 @@
     node_port:
       enabled: false
       port: 30775
-  placement:
-    port: 8778
-    ingress:
-      public: true
-      classes:
-        namespace: "nginx"
-        cluster: "nginx-cluster"
-      annotations:
-        nginx.ingress.kubernetes.io/rewrite-target: /
-    node_port:
-      enabled: false
-      port: 30778
   novncproxy:
     ingress:
       public: true
@@ -383,7 +363,6 @@
       jobs:
         - nova-db-sync
         - nova-rabbit-init
-        - placement-ks-endpoints
       services:
         - endpoint: internal
           service: oslo_messaging
@@ -414,20 +393,6 @@
       jobs:
         - nova-db-sync
         - nova-rabbit-init
-        - placement-ks-endpoints
-      services:
-        - endpoint: internal
-          service: oslo_messaging
-        - endpoint: internal
-          service: oslo_db
-        - endpoint: internal
-          service: identity
-        - endpoint: internal
-          service: compute
-    consoleauth:
-      jobs:
-        - nova-db-sync
-        - nova-rabbit-init
       services:
         - endpoint: internal
           service: oslo_messaging
@@ -489,7 +454,6 @@
       jobs:
         - nova-db-sync
         - nova-rabbit-init
-        - placement-ks-endpoints
       services:
         - endpoint: internal
           service: oslo_messaging
@@ -636,14 +600,6 @@
         echo $IMAGES | xargs openstack image delete
       fi
     tests:
-      NovaAgents.list_agents:
-        - runner:
-            concurrency: 1
-            times: 1
-            type: constant
-          sla:
-            failure_rate:
-              max: 0
       NovaAggregates.create_and_get_aggregate_details:
         - args:
             availability_zone: nova
@@ -991,41 +947,6 @@
     # INFO means log all usage
     # ERROR means only log unsuccessful attempts
     syslog_log_level=ERROR
-  wsgi_placement: |
-    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
-
-    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-    CustomLog /dev/stdout combined env=!forwarded
-    CustomLog /dev/stdout proxy env=forwarded
-
-    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
-        WSGIDaemonProcess placement-api processes=4 threads=1 user=nova group=nova display-name=%{GROUP}
-        WSGIProcessGroup placement-api
-        WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
-        WSGIApplicationGroup %{GLOBAL}
-        WSGIPassAuthorization On
-        <IfVersion >= 2.4>
-          ErrorLogFormat "%{cu}t %M"
-        </IfVersion>
-        ErrorLog /dev/stdout
-
-        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-        CustomLog /dev/stdout combined env=!forwarded
-        CustomLog /dev/stdout proxy env=forwarded
-    </VirtualHost>
-
-    Alias /placement /var/www/cgi-bin/nova/nova-placement-api
-    <Location /placement>
-        SetHandler wsgi-script
-        Options +ExecCGI
-
-        WSGIProcessGroup placement-api
-        WSGIApplicationGroup %{GLOBAL}
-        WSGIPassAuthorization On
-    </Location>
   rootwrap_filters:
     api_metadata:
       pods:
@@ -1605,7 +1526,6 @@
   identity:
     admin: nova-keystone-admin
     nova: nova-keystone-user
-    placement: nova-keystone-placement
     test: nova-keystone-test
   oslo_db:
     admin: nova-db-admin
@@ -1628,10 +1548,6 @@
       novncproxy:
         public: nova-novncproxy-tls-public
         internal: nova-novncproxy-tls-proxy
-    placement:
-      placement:
-        public: placement-tls-public
-        internal: placement-tls-api
     compute_metadata:
       metadata:
         public: metadata-tls-public
@@ -1639,6 +1555,8 @@
     compute_spice_proxy:
       spiceproxy:
         internal: nova-tls-spiceproxy
+  oci_image_registry:
+    nova: nova-oci-image-registry
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1657,6 +1575,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      nova:
+        username: nova
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   oslo_db:
     auth:
       admin:
@@ -1851,10 +1784,12 @@
       default: "/v2.1/%(tenant_id)s"
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8774
         public: 80
+        service: 8774
       novncproxy:
         default: 6080
   compute_metadata:
@@ -1922,10 +1857,12 @@
       default: /
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8778
         public: 80
+        service: 8778
   network:
     name: neutron
     hosts:
@@ -2056,20 +1993,6 @@
             initialDelaySeconds: 80
             periodSeconds: 90
             timeoutSeconds: 70
-    consoleauth:
-      default:
-        liveness:
-          enabled: True
-          params:
-            initialDelaySeconds: 120
-            periodSeconds: 90
-            timeoutSeconds: 70
-        readiness:
-          enabled: True
-          params:
-            initialDelaySeconds: 80
-            periodSeconds: 90
-            timeoutSeconds: 70
     novncproxy:
       default:
         liveness:
@@ -2084,20 +2007,6 @@
             initialDelaySeconds: 30
             periodSeconds: 60
             timeoutSeconds: 15
-    placement:
-      default:
-        liveness:
-          enabled: True
-          params:
-            initialDelaySeconds: 50
-            periodSeconds: 30
-            timeoutSeconds: 10
-        readiness:
-          enabled: True
-          params:
-            initialDelaySeconds: 15
-            periodSeconds: 30
-            timeoutSeconds: 10
     scheduler:
       default:
         liveness:
@@ -2140,11 +2049,6 @@
         ceph_perms:
           readOnlyRootFilesystem: true
           runAsUser: 0
-        ceph_admin_keyring_placement:
-          readOnlyRootFilesystem: true
-        ceph_keyring_placement:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
         nova_compute_vnc_init:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
@@ -2171,9 +2075,6 @@
         nova_conductor:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-        nova_consoleauth:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
         nova_novncproxy_init:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
@@ -2183,9 +2084,6 @@
         nova_novncproxy:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-        nova_placement_api:
-          readOnlyRootFilesystem: false
-          allowPrivilegeEscalation: false
         nova_scheduler:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
@@ -2261,6 +2159,13 @@
         default: kubernetes.io/hostname
       weight:
         default: 10
+  tolerations:
+    nova:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
   mounts:
     nova_compute:
       init_container: null
@@ -2277,21 +2182,11 @@
       nova_api_metadata:
         volumeMounts:
         volumes:
-    nova_placement:
-      init_container: null
-      nova_placement:
-        volumeMounts:
-        volumes:
     nova_api_osapi:
       init_container: null
       nova_api_osapi:
         volumeMounts:
         volumes:
-    nova_consoleauth:
-      init_container: null
-      nova_consoleauth:
-        volumeMounts:
-        volumes:
     nova_conductor:
       init_container: null
       nova_conductor:
@@ -2331,10 +2226,8 @@
   replicas:
     api_metadata: 1
     compute_ironic: 1
-    placement: 1
     osapi: 1
     conductor: 1
-    consoleauth: 1
     scheduler: 1
     novncproxy: 1
     spiceproxy: 1
@@ -2355,15 +2248,11 @@
     disruption_budget:
       metadata:
         min_available: 0
-      placement:
-        min_available: 0
       osapi:
         min_available: 0
     termination_grace_period:
       metadata:
         timeout: 30
-      placement:
-        timeout: 30
       osapi:
         timeout: 30
   resources:
@@ -2389,13 +2278,6 @@
       limits:
         memory: "1024Mi"
         cpu: "2000m"
-    placement:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
     api:
       requests:
         memory: "128Mi"
@@ -2410,13 +2292,6 @@
       limits:
         memory: "1024Mi"
         cpu: "2000m"
-    consoleauth:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
     scheduler:
       requests:
         memory: "128Mi"
@@ -2545,12 +2420,6 @@
       - {}
     egress:
       - {}
-  placement:
-    # TODO(lamt): Need to tighten this ingress for security.
-    ingress:
-      - {}
-    egress:
-      - {}
 
 # NOTE(helm_hook): helm_hook might break for helm2 binary.
 # set helm3_hook: false when using the helm2 binary.
@@ -2560,6 +2429,11 @@
   logging:
     level: ERROR
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
@@ -2570,19 +2444,15 @@
   daemonset_compute: true
   deployment_api_metadata: true
   deployment_api_osapi: true
-  deployment_placement: true
   deployment_conductor: true
-  deployment_consoleauth: true
   deployment_novncproxy: true
   deployment_spiceproxy: true
   deployment_scheduler: true
   ingress_metadata: true
   ingress_novncproxy: true
-  ingress_placement: true
   ingress_osapi: true
   job_bootstrap: true
   job_db_init: true
-  job_db_init_placement: true
   job_db_sync: true
   job_db_drop: false
   job_image_repo_sync: true
@@ -2590,12 +2460,8 @@
   job_ks_endpoints: true
   job_ks_service: true
   job_ks_user: true
-  job_ks_placement_endpoints: true
-  job_ks_placement_service: true
-  job_ks_placement_user: true
   job_cell_setup: true
   pdb_metadata: true
-  pdb_placement: true
   pdb_osapi: true
   pod_rally_test: true
   network_policy: false
@@ -2604,14 +2470,12 @@
   secret_db: true
   secret_ingress_tls: true
   secret_keystone: true
-  secret_keystone_placement: true
   secret_rabbitmq: true
+  secret_registry: true
   service_ingress_metadata: true
   service_ingress_novncproxy: true
-  service_ingress_placement: true
   service_ingress_osapi: true
   service_metadata: true
-  service_placement: true
   service_novncproxy: true
   service_spiceproxy: true
   service_osapi: true
diff --git a/charts/octavia/Chart.yaml b/charts/octavia/Chart.yaml
index a685d8c..7102dd9 100644
--- a/charts/octavia/Chart.yaml
+++ b/charts/octavia/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/octavia
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.5
+version: 0.2.7
diff --git a/charts/octavia/charts/helm-toolkit/Chart.yaml b/charts/octavia/charts/helm-toolkit/Chart.yaml
index d90280e..c1296b9 100644
--- a/charts/octavia/charts/helm-toolkit/Chart.yaml
+++ b/charts/octavia/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.44
+version: 0.2.51
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 7846895..4c476b2 100644
--- a/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
 {{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
 {{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..9597d34 100644
--- a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,52 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +434,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +496,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +507,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +557,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +578,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/requirements.lock b/charts/octavia/requirements.lock
index ce130a4..00f9746 100644
--- a/charts/octavia/requirements.lock
+++ b/charts/octavia/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.44
-digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
-generated: "2022-08-10T23:42:45.910611816Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:10:02.04681901Z"
diff --git a/charts/octavia/templates/deployment-api.yaml b/charts/octavia/templates/deployment-api.yaml
index 76f0d23..2b4a498 100644
--- a/charts/octavia/templates/deployment-api.yaml
+++ b/charts/octavia/templates/deployment-api.yaml
@@ -72,7 +72,9 @@
             - name: o-api
               containerPort: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              scheme: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
               port: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           volumeMounts:
             - name: pod-etc-octavia
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/octavia/templates/secret-registry.yaml
similarity index 71%
copy from charts/nova/templates/bin/_nova-consoleauth.sh.tpl
copy to charts/octavia/templates/secret-registry.yaml
index 97c4195..da979b3 100644
--- a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
+++ b/charts/octavia/templates/secret-registry.yaml
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +12,6 @@
 limitations under the License.
 */}}
 
-set -x
-exec nova-consoleauth \
-      --config-file /etc/nova/nova.conf
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/octavia/values.yaml b/charts/octavia/values.yaml
index 8ba4e7b..2caf8ca 100644
--- a/charts/octavia/values.yaml
+++ b/charts/octavia/values.yaml
@@ -350,6 +350,8 @@
     load_balancer:
       api:
         public: octavia-tls-public
+  oci_image_registry:
+    octavia: octavia-oci-image-registry
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -365,6 +367,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      octavia:
+        username: octavia
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -681,6 +698,7 @@
   secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
+  secret_registry: true
   service_ingress_api: true
   service_api: true
 ...
diff --git a/charts/tempest/Chart.yaml b/charts/tempest/Chart.yaml
index 0f6c89b..e3be4e4 100644
--- a/charts/tempest/Chart.yaml
+++ b/charts/tempest/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/tempest
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.3
+version: 0.2.7
diff --git a/charts/tempest/charts/helm-toolkit/Chart.yaml b/charts/tempest/charts/helm-toolkit/Chart.yaml
index 08512f9..c1296b9 100644
--- a/charts/tempest/charts/helm-toolkit/Chart.yaml
+++ b/charts/tempest/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.41
+version: 0.2.51
diff --git a/charts/tempest/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/tempest/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/tempest/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/tempest/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/tempest/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/tempest/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/tempest/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/tempest/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/tempest/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/tempest/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/tempest/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/tempest/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/tempest/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index d3fe4fd..9597d34 100644
--- a/charts/tempest/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/tempest/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,52 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 300))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -368,8 +420,8 @@
   count=0
   SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
-  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
     if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
       ((count++))
       log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
@@ -382,8 +434,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +496,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +507,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +557,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +578,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/tempest/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/tempest/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/tempest/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/tempest/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/tempest/requirements.lock b/charts/tempest/requirements.lock
index aba1c66..08e3e72 100644
--- a/charts/tempest/requirements.lock
+++ b/charts/tempest/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.41
-digest: sha256:2886b76b32f4fc31863aa7dc8de689b95f46afee79e74ed3f38c89559fd93822
-generated: "2022-04-27T22:43:02.53583665Z"
+  version: 0.2.51
+digest: sha256:9fe05ff9103d825422e13cdd8ce9852c3dacfadc12751b7883affdbe483b1b3b
+generated: "2023-01-30T23:09:57.436181816Z"
diff --git a/charts/tempest/templates/configmap-etc.yaml b/charts/tempest/templates/configmap-etc.yaml
index 8e136c9..025a270 100644
--- a/charts/tempest/templates/configmap-etc.yaml
+++ b/charts/tempest/templates/configmap-etc.yaml
@@ -35,6 +35,38 @@
 {{- $_ := set .Values.conf.tempest.identity "region" .Values.endpoints.identity.auth.admin.region_name -}}
 {{- end -}}
 
+{{- if .Values.conf.tempest.service_available.heat -}}
+{{- if empty .Values.conf.tempest.heat_plugin.username -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "username" .Values.endpoints.identity.auth.tempest.username -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.password -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "password" .Values.endpoints.identity.auth.tempest.password -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.project_name -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "project_name" .Values.endpoints.identity.auth.tempest.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.admin_username -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "admin_username" .Values.endpoints.identity.auth.admin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.admin_password -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "admin_password" .Values.endpoints.identity.auth.admin.password -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.admin_project_name -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "admin_project_name" .Values.endpoints.identity.auth.admin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.tempest.heat_plugin "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.region -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "region" .Values.endpoints.identity.auth.admin.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.project_domain_name -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "project_domain_name" .Values.endpoints.identity.auth.tempest.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.tempest.heat_plugin.user_domain_name -}}
+{{- $_ := set .Values.conf.tempest.heat_plugin "user_domain_name" .Values.endpoints.identity.auth.tempest.user_domain_name -}}
+{{- end -}}
+{{- end -}}
 
 {{- if empty .Values.conf.tempest.dashboard.dashboard_url -}}
 {{- $endpointScheme := tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
diff --git a/charts/tempest/templates/job-ks-user.yaml b/charts/tempest/templates/job-ks-user.yaml
index ae8f774..4537d5a 100644
--- a/charts/tempest/templates/job-ks-user.yaml
+++ b/charts/tempest/templates/job-ks-user.yaml
@@ -23,5 +23,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
 {{- end }}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/charts/tempest/templates/job-run-tests.yaml b/charts/tempest/templates/job-run-tests.yaml
index abacad1..fc37523 100644
--- a/charts/tempest/templates/job-run-tests.yaml
+++ b/charts/tempest/templates/job-run-tests.yaml
@@ -61,6 +61,10 @@
           command:
             - /tmp/run-tests.sh
           env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/tempest/certs/ca.crt"
+{{- end }}
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
@@ -95,6 +99,7 @@
 {{- end }}
             - name: tempest-reports
               mountPath: /var/lib/tempest/data
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal "path" "/etc/tempest/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -115,4 +120,5 @@
           persistentVolumeClaim:
             claimName: {{ .Values.pvc.name }}
         {{- end }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/tempest/templates/secret-registry.yaml
similarity index 71%
copy from charts/nova/templates/bin/_nova-consoleauth.sh.tpl
copy to charts/tempest/templates/secret-registry.yaml
index 97c4195..da979b3 100644
--- a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
+++ b/charts/tempest/templates/secret-registry.yaml
@@ -1,5 +1,3 @@
-#!/bin/bash
-
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +12,6 @@
 limitations under the License.
 */}}
 
-set -x
-exec nova-consoleauth \
-      --config-file /etc/nova/nova.conf
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/tempest/values.yaml b/charts/tempest/values.yaml
index 00b5c53..a903143 100644
--- a/charts/tempest/values.yaml
+++ b/charts/tempest/values.yaml
@@ -24,8 +24,8 @@
 images:
   tags:
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
-    tempest_run_tests: docker.io/openstackhelm/tempest:latest-ubuntu_xenial
-    ks_user: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
+    tempest_run_tests: docker.io/openstackhelm/tempest:latest-ubuntu_focal
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
     image_repo_sync: docker.io/docker:17.07.0
   pull_policy: "IfNotPresent"
   local_registry:
@@ -137,6 +137,23 @@
       admin_domain_name: null
       use_dynamic_credentials: true
     dashboard: {}
+    heat_plugin:
+      # Username to use for non admin API requests
+      username: null
+      # Non admin API key to use when authenticating.
+      password: null
+      project_name: null
+      # Username to use for admin API requests
+      admin_username: null
+      # Admin API key to use when authentication
+      admin_password: null
+      # Admin project name to use for admin API requests
+      admin_project_name: null
+      auth_version: 3
+      auth_url: null
+      user_domain_name: null
+      project_domain_name: null
+      region: null
     identity:
       admin_domain_scope: false
       auth_version: v3
@@ -203,6 +220,7 @@
       # tempest image used includes a bug resulting in failed network tests that
       # wasn't fixed in newton. Swift is disabled by default as the swift chart
       # isn't complete
+      heat: false
       neutron: false
       nova: false
       swift: false
@@ -267,6 +285,13 @@
   identity:
     admin: tempest-keystone-admin
     tempest: tempest-keystone-user
+  oci_image_registry:
+    tempest: tempest-oci-image-registry
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
+        internal: keystone-tls-api
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -282,6 +307,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      tempest:
+        username: tempest
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -334,6 +374,8 @@
     port:
       web:
         default: 80
+tls:
+  identity: false
 
 manifests:
   configmap_bin: true
@@ -342,4 +384,5 @@
   job_ks_user: true
   job_run_tests: true
   secret_keystone: true
+  secret_registry: true
 ...
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 1abd03c..be8c8cd 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -70,11 +70,11 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/memcached-${MEMCACHED_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-KEYSTONE_VERSION=0.2.19
+KEYSTONE_VERSION=0.3.0
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/keystone-${KEYSTONE_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-BARBICAN_VERSION=0.2.12
+BARBICAN_VERSION=0.3.0
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/barbican-${BARBICAN_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
@@ -86,7 +86,7 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/glance-${GLANCE_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-CINDER_VERSION=0.3.2
+CINDER_VERSION=0.3.3
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/cinder-${CINDER_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm~872359/revisions/1/patch?download' \
@@ -110,8 +110,13 @@
 NEUTRON_VERSION=0.3.2
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/neutron-${NEUTRON_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
+curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm~872436/revisions/1/patch?download' \
+  | base64 --decode \
+  | filterdiff -p1 -x 'releasenotes/*' \
+  | filterdiff -p2 -x 'Chart.yaml' \
+  | patch -p2 -d ${ATMOSPHERE}/charts/neutron
 
-NOVA_VERISON=0.2.32
+NOVA_VERISON=0.3.1
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
@@ -127,7 +132,7 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/heat-${HEAT_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-OCTAVIA_VERSION=0.2.5
+OCTAVIA_VERSION=0.2.7
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/octavia-${OCTAVIA_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
@@ -135,10 +140,15 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/magnum-${MAGNUM_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-HORIZON_VERSION=0.3.1
+HORIZON_VERSION=0.3.2
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/horizon-${HORIZON_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
+curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm~872524/revisions/1/patch?download' \
+  | base64 --decode \
+  | filterdiff -p1 -x 'releasenotes/*' \
+  | filterdiff -p2 -x 'Chart.yaml' \
+  | patch -p2 -d ${ATMOSPHERE}/charts/horizon
 
-TEMPEST_VERSION=0.2.3
+TEMPEST_VERSION=0.2.7
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/tempest-${TEMPEST_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
diff --git a/playbooks/openstack.yml b/playbooks/openstack.yml
index 1c433c2..ed8fb38 100644
--- a/playbooks/openstack.yml
+++ b/playbooks/openstack.yml
@@ -105,14 +105,14 @@
       tags:
         - coredns
 
-    - role: neutron
-      tags:
-        - neutron
-
     - role: nova
       tags:
         - nova
 
+    - role: neutron
+      tags:
+        - neutron
+
     - role: senlin
       tags:
         - senlin
diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml
index ca193fb..fa3284f 100644
--- a/roles/defaults/defaults/main.yml
+++ b/roles/defaults/defaults/main.yml
@@ -5,8 +5,8 @@
 atmosphere_images:
   alertmanager: quay.io/prometheus/alertmanager:v0.24.0
   atmosphere: quay.io/vexxhost/atmosphere:0.13.0 # x-release-please-version
-  barbican_api: quay.io/vexxhost/barbican:wallaby
-  barbican_db_sync: quay.io/vexxhost/barbican:wallaby
+  barbican_api: quay.io/vexxhost/barbican:zed
+  barbican_db_sync: quay.io/vexxhost/barbican:zed
   bootstrap: quay.io/vexxhost/heat:zed
   ceph_config_helper: quay.io/vexxhost/libvirtd:yoga-focal
   cert_manager_cainjector: quay.io/jetstack/cert-manager-cainjector:v1.7.1
@@ -55,27 +55,27 @@
   grafana_sidecar: quay.io/kiwigrid/k8s-sidecar:1.19.2
   grafana: docker.io/grafana/grafana:9.2.3
   haproxy: docker.io/library/haproxy:2.5
-  heat_api: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_cfn: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_cloudwatch: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_db_sync: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_engine_cleaner: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_engine: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  heat_purge_deleted: us-docker.pkg.dev/vexxhost-infra/openstack/heat:wallaby
-  horizon_db_sync: us-docker.pkg.dev/vexxhost-infra/openstack/horizon:wallaby
-  horizon: us-docker.pkg.dev/vexxhost-infra/openstack/horizon:wallaby
+  heat_api: quay.io/vexxhost/heat:zed
+  heat_cfn: quay.io/vexxhost/heat:zed
+  heat_cloudwatch: quay.io/vexxhost/heat:zed
+  heat_db_sync: quay.io/vexxhost/heat:zed
+  heat_engine_cleaner: quay.io/vexxhost/heat:zed
+  heat_engine: quay.io/vexxhost/heat:zed
+  heat_purge_deleted: quay.io/vexxhost/heat:zed
+  horizon_db_sync: quay.io/vexxhost/horizon:zed
+  horizon: quay.io/vexxhost/horizon:zed
   ingress_nginx_controller: k8s.gcr.io/ingress-nginx/controller:v1.1.1@sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
   ingress_nginx_default_backend: k8s.gcr.io/defaultbackend-amd64:1.5
   ingress_nginx_kube_webhook_certgen: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
   keepalived: us-docker.pkg.dev/vexxhost-infra/openstack/keepalived:2.0.19
-  keystone_api: quay.io/vexxhost/keystone:wallaby
+  keystone_api: quay.io/vexxhost/keystone:zed
   keystone_credential_cleanup: quay.io/vexxhost/heat:zed
-  keystone_credential_rotate: quay.io/vexxhost/keystone:wallaby
-  keystone_credential_setup: quay.io/vexxhost/keystone:wallaby
-  keystone_db_sync: quay.io/vexxhost/keystone:wallaby
+  keystone_credential_rotate: quay.io/vexxhost/keystone:zed
+  keystone_credential_setup: quay.io/vexxhost/keystone:zed
+  keystone_db_sync: quay.io/vexxhost/keystone:zed
   keystone_domain_manage: quay.io/vexxhost/heat:zed
-  keystone_fernet_rotate: quay.io/vexxhost/keystone:wallaby
-  keystone_fernet_setup: quay.io/vexxhost/keystone:wallaby
+  keystone_fernet_rotate: quay.io/vexxhost/keystone:zed
+  keystone_fernet_setup: quay.io/vexxhost/keystone:zed
   ks_endpoints: quay.io/vexxhost/heat:zed
   ks_service: quay.io/vexxhost/heat:zed
   ks_user: quay.io/vexxhost/heat:zed
@@ -92,38 +92,38 @@
   magnum_db_sync: quay.io/vexxhost/magnum:zed
   magnum_registry: docker.io/library/registry:2.7.1
   memcached: docker.io/library/memcached:1.6.17
-  neutron_bagpipe_bgp: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
+  neutron_bagpipe_bgp: quay.io/vexxhost/neutron:zed
   neutron_coredns: docker.io/coredns/coredns:1.9.3
-  neutron_db_sync: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_dhcp: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_ironic_agent: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_l2gw: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_l3: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_linuxbridge_agent: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_metadata: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_netns_cleanup_cron: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_openvswitch_agent: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_server: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_sriov_agent_init: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
-  neutron_sriov_agent: us-docker.pkg.dev/vexxhost-infra/openstack/neutron:wallaby
+  neutron_db_sync: quay.io/vexxhost/neutron:zed
+  neutron_dhcp: quay.io/vexxhost/neutron:zed
+  neutron_ironic_agent: quay.io/vexxhost/neutron:zed
+  neutron_l2gw: quay.io/vexxhost/neutron:zed
+  neutron_l3: quay.io/vexxhost/neutron:zed
+  neutron_linuxbridge_agent: quay.io/vexxhost/neutron:zed
+  neutron_metadata: quay.io/vexxhost/neutron:zed
+  neutron_netns_cleanup_cron: quay.io/vexxhost/neutron:zed
+  neutron_openvswitch_agent: quay.io/vexxhost/neutron:zed
+  neutron_server: quay.io/vexxhost/neutron:zed
+  neutron_sriov_agent_init: quay.io/vexxhost/neutron:zed
+  neutron_sriov_agent: quay.io/vexxhost/neutron:zed
   node_feature_discovery: k8s.gcr.io/nfd/node-feature-discovery:v0.11.2
-  nova_api: quay.io/vexxhost/nova:wallaby
-  nova_archive_deleted_rows: quay.io/vexxhost/nova:wallaby
+  nova_api: quay.io/vexxhost/nova:zed
+  nova_archive_deleted_rows: quay.io/vexxhost/nova:zed
   nova_cell_setup_init: quay.io/vexxhost/heat:zed
-  nova_cell_setup: quay.io/vexxhost/nova:wallaby
-  nova_compute_ironic: docker.io/kolla/ubuntu-source-nova-compute-ironic:wallaby
-  nova_compute_ssh: quay.io/vexxhost/nova-ssh:wallaby
-  nova_compute: quay.io/vexxhost/nova:wallaby
-  nova_conductor: quay.io/vexxhost/nova:wallaby
-  nova_consoleauth: quay.io/vexxhost/nova:wallaby
-  nova_db_sync: quay.io/vexxhost/nova:wallaby
-  nova_novncproxy_assets: quay.io/vexxhost/nova:wallaby
-  nova_novncproxy: quay.io/vexxhost/nova:wallaby
-  nova_placement: quay.io/vexxhost/nova:wallaby
-  nova_scheduler: quay.io/vexxhost/nova:wallaby
+  nova_cell_setup: quay.io/vexxhost/nova:zed
+  nova_compute_ironic: docker.io/kolla/ubuntu-source-nova-compute-ironic:zed
+  nova_compute_ssh: quay.io/vexxhost/nova-ssh:latest
+  nova_compute: quay.io/vexxhost/nova:zed
+  nova_conductor: quay.io/vexxhost/nova:zed
+  nova_consoleauth: quay.io/vexxhost/nova:zed
+  nova_db_sync: quay.io/vexxhost/nova:zed
+  nova_novncproxy_assets: quay.io/vexxhost/nova:zed
+  nova_novncproxy: quay.io/vexxhost/nova:zed
+  nova_placement: quay.io/vexxhost/nova:zed
+  nova_scheduler: quay.io/vexxhost/nova:zed
   nova_service_cleaner: quay.io/vexxhost/cli:latest
-  nova_spiceproxy_assets: quay.io/vexxhost/nova:wallaby
-  nova_spiceproxy: quay.io/vexxhost/nova:wallaby
+  nova_spiceproxy_assets: quay.io/vexxhost/nova:zed
+  nova_spiceproxy: quay.io/vexxhost/nova:zed
   octavia_api: quay.io/vexxhost/octavia:zed
   octavia_db_sync: quay.io/vexxhost/octavia:zed
   octavia_health_manager_init: quay.io/vexxhost/heat:zed
@@ -136,8 +136,8 @@
   percona_xtradb_cluster_haproxy: docker.io/percona/percona-xtradb-cluster-operator:1.10.0-haproxy
   percona_xtradb_cluster_operator: docker.io/percona/percona-xtradb-cluster-operator:1.10.0
   percona_xtradb_cluster: docker.io/percona/percona-xtradb-cluster:5.7.39-31.61
-  placement_db_sync: quay.io/vexxhost/placement:wallaby
-  placement: quay.io/vexxhost/placement:wallaby
+  placement_db_sync: quay.io/vexxhost/placement:zed
+  placement: quay.io/vexxhost/placement:zed
   prometheus_config_reloader: quay.io/prometheus-operator/prometheus-config-reloader:v0.60.1
   prometheus_ethtool_exporter: quay.io/vexxhost/ethtool-exporter:5f05120a743a71adcbceb9f8ee1d43ecc7c4183a
   prometheus_ipmi_exporter: us-docker.pkg.dev/vexxhost-infra/openstack/ipmi-exporter:1.4.0
@@ -154,11 +154,11 @@
   rabbitmq_credential_updater: docker.io/rabbitmqoperator/default-user-credential-updater:1.0.2
   rabbitmq_server: docker.io/library/rabbitmq:3.10.2-management
   rabbitmq_topology_operator: docker.io/rabbitmqoperator/messaging-topology-operator:1.6.0
-  senlin_api: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
-  senlin_conductor: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
-  senlin_db_sync: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
-  senlin_engine_cleaner: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
-  senlin_engine: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
-  senlin_health_manager: us-docker.pkg.dev/vexxhost-infra/openstack/senlin:wallaby
+  senlin_api: quay.io/vexxhost/senlin:zed
+  senlin_conductor: quay.io/vexxhost/senlin:zed
+  senlin_db_sync: quay.io/vexxhost/senlin:zed
+  senlin_engine_cleaner: quay.io/vexxhost/senlin:zed
+  senlin_engine: quay.io/vexxhost/senlin:zed
+  senlin_health_manager: quay.io/vexxhost/senlin:zed
   skopeo: quay.io/skopeo/stable:latest
   tempest_run_tests: us-docker.pkg.dev/vexxhost-infra/openstack/tempest:30.1.0-4
diff --git a/roles/openstack_helm_endpoints/vars/main.yml b/roles/openstack_helm_endpoints/vars/main.yml
index fc50a6b..24650cd 100644
--- a/roles/openstack_helm_endpoints/vars/main.yml
+++ b/roles/openstack_helm_endpoints/vars/main.yml
@@ -28,6 +28,8 @@
   - object_store
   - oci_image_registry
   - prometheus_rabbitmq_exporter
+  - volume
+  - volumev2
 
 _openstack_helm_endpoints_oslo_db:
   oslo_db: