[ATMOSPHERE-497] [stable/2024.1] chart: sync ovn with upstream (#2028)

Co-authored-by: okozachenko1203 <okozachenko1203@users.noreply.github.com>
Co-authored-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/.charts.yml b/.charts.yml
index c19c5ef..4c3e371 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -172,14 +172,13 @@
     repository: *openstack_helm_infra_repository
     dependencies: *openstack_helm_dependencies
   - name: ovn
-    version: 0.1.4
+    version: 0.1.13
     repository: *openstack_helm_infra_repository
     dependencies: *openstack_helm_dependencies
     patches:
       gerrit:
         review.opendev.org:
-          - 893739
-          - 914807
+          - 933333
   - name: placement
     version: 0.3.9
     repository: *openstack_helm_repository
diff --git a/charts/ovn/Chart.yaml b/charts/ovn/Chart.yaml
index 8ac48b4..00f498b 100644
--- a/charts/ovn/Chart.yaml
+++ b/charts/ovn/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://github.com/ovn-org/ovn
 - https://opendev.org/openstack/openstack-helm
-version: 0.1.4
+version: 0.1.13
diff --git a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
index 77e1e68..1d303c8 100644
--- a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
+++ b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
@@ -18,7 +18,7 @@
 
 function get_ip_address_from_interface {
   local interface=$1
-  local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}')
+  local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $1}')
   if [ -z "${ip}" ] ; then
     exit 1
   fi
@@ -27,7 +27,7 @@
 
 function get_ip_prefix_from_interface {
   local interface=$1
-  local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $2}')
+  local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $2}')
   if [ -z "${prefix}" ] ; then
     exit 1
   fi
@@ -70,7 +70,7 @@
   elif [[ -z "${bridge_ip}" && -z "${ip}" ]]; then
     echo "Interface and bridge have no ips configured. Leaving as is."
   else
-    echo "Interface ${name} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..."
+    echo "Interface ${src_nic} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..."
     exit 1
   fi
 
@@ -144,13 +144,20 @@
 ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type }}"
 ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}"
 ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}"
-ovs-vsctl set open . external-ids:ovn-cms-options="${OVN_CMS_OPTIONS}"
+
+GW_ENABLED=$(cat /tmp/gw-enabled/gw-enabled)
+if [[ ${GW_ENABLED} == {{ .Values.labels.ovn_controller_gw.node_selector_value }} ]]; then
+  ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options_gw_enabled }}
+else
+  ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options }}
+fi
+
 {{ if .Values.conf.ovn_bridge_datapath_type -}}
 ovs-vsctl set open . external-ids:ovn-bridge-datapath-type="{{ .Values.conf.ovn_bridge_datapath_type }}"
 {{- end }}
 
 # Configure hostname
-{{- if .Values.conf.use_fqdn.compute }}
+{{- if .Values.pod.use_fqdn.compute }}
   ovs-vsctl set open . external-ids:hostname="$(hostname -f)"
 {{- else }}
   ovs-vsctl set open . external-ids:hostname="$(hostname)"
@@ -164,7 +171,7 @@
   bridge=${bmap%:*}
   iface=${bmap#*:}
   ovs-vsctl --may-exist add-br $bridge -- set bridge $bridge protocols=OpenFlow13
-  if [ -n "$iface" ] && [ "$iface" != "null" ]
+  if [ -n "$iface" ] && [ "$iface" != "null" ] && ( ip link show $iface 1>/dev/null 2>&1 );
   then
     ovs-vsctl --may-exist add-port $bridge $iface
     migrate_ip_from_nic $iface $bridge
diff --git a/charts/ovn/templates/daemonset-controller-gw.yaml b/charts/ovn/templates/daemonset-controller-gw.yaml
deleted file mode 100644
index 3ecd81d..0000000
--- a/charts/ovn/templates/daemonset-controller-gw.yaml
+++ /dev/null
@@ -1,191 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "controllerGatewayReadinessProbeTemplate" }}
-exec:
-  command:
-    - /usr/bin/ovn-kube-util
-    - readiness-probe
-    - -t
-    - ovn-controller
-{{- end }}
-
-{{- if .Values.manifests.daemonset_ovn_controller_gw }}
-{{- $envAll := . }}
-
-{{- $configMapName := "ovn-etc" }}
-{{- $serviceAccountName := "ovn-controller-gw" }}
-{{ tuple $envAll "ovn_controller_gw" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
----
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
-  name: ovn-controller-gw
-  annotations:
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-    configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-  labels:
-{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-    type: gw
-spec:
-  selector:
-    matchLabels:
-{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-      type: gw
-  template:
-    metadata:
-      labels:
-{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-        type: gw
-      annotations:
-{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-    spec:
-      serviceAccountName: {{ $serviceAccountName }}
-      hostNetwork: true
-      dnsPolicy: {{ .Values.pod.dns_policy }}
-      nodeSelector:
-        {{ .Values.labels.ovn_controller_gw.node_selector_key }}: {{ .Values.labels.ovn_controller_gw.node_selector_value }}
-      initContainers:
-{{- tuple $envAll "ovn_controller_gw" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
-        - name: controller-init
-{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/ovn-controller-init.sh
-          env:
-            - name: OVN_CMS_OPTIONS
-              value: {{ .Values.conf.gw_ovn_cms_options | quote }}
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          volumeMounts:
-            - name: ovn-bin
-              mountPath: /tmp/ovn-controller-init.sh
-              subPath: ovn-controller-init.sh
-              readOnly: true
-            - name: run-openvswitch
-              mountPath: /run/openvswitch
-            - name: ovn-etc
-              mountPath: /tmp/auto_bridge_add
-              subPath: auto_bridge_add
-              readOnly: true
-      containers:
-        - name: controller
-          command:
-            - /root/ovnkube.sh
-            - ovn-controller
-{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-{{ dict "envAll" . "component" "ovn_controller_gw" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerGatewayReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-          env:
-            - name: OVN_DAEMONSET_VERSION
-              value: "3"
-            - name: OVN_LOGLEVEL_CONTROLLER
-              value: "-vconsole:info -vfile:info"
-            - name: OVN_KUBERNETES_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: OVN_KUBERNETES_NB_STATEFULSET
-              value: ovn-ovsdb-nb
-            - name: OVN_KUBERNETES_SB_STATEFULSET
-              value: ovn-ovsdb-sb
-            - name: OVN_SSL_ENABLE
-              value: "no"
-          volumeMounts:
-            - name: run-openvswitch
-              mountPath: /var/run/ovn
-            - name: run-openvswitch
-              mountPath: /var/run/openvswitch
-            - name: shared
-              mountPath: /var/log/ovn/
-        {{- if .Values.pod.sidecars.vector }}
-        - name: vector
-{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - vector
-            - --config
-            - /etc/vector/vector.toml
-          volumeMounts:
-            - name: vector-config
-              mountPath: /etc/vector
-            - name: shared
-              mountPath: /logs
-            - name: vector-data
-              mountPath: /var/lib/vector
-        {{- end }}
-        {{- if .Values.pod.sidecars.ovn_logging_parser }}
-        - name: log-parser
-{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/ovn-network-logging-parser.sh
-            - start
-          env:
-            - name: VECTOR_HTTP_ENDPOINT
-              value: http://localhost:5001
-          ports:
-            - name: http
-              containerPort: {{ tuple "ovn_logging_parser" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-              protocol: TCP
-          volumeMounts:
-            - name: neutron-etc
-              mountPath: /etc/neutron/neutron.conf
-              subPath: neutron.conf
-              readOnly: true
-            - name: ovn-bin
-              mountPath: /tmp/ovn-network-logging-parser.sh
-              subPath: ovn-network-logging-parser.sh
-              readOnly: true
-            - name: ovn-etc
-              mountPath: /etc/neutron/neutron-ovn-network-logging-parser-uwsgi.ini
-              subPath: neutron-ovn-network-logging-parser-uwsgi.ini
-              readOnly: true
-        {{- end }}
-      volumes:
-        - name: ovn-bin
-          configMap:
-            name: ovn-bin
-            defaultMode: 0777
-        - name: run-openvswitch
-          hostPath:
-            path: /run/openvswitch
-            type: DirectoryOrCreate
-        - name: ovn-etc
-          secret:
-            secretName: {{ $configMapName }}
-            defaultMode: 0444
-        - name: shared
-          emptyDir: {}
-        {{- if .Values.pod.sidecars.vector }}
-        - name: vector-config
-          secret:
-            secretName: ovn-vector-config
-        - name: vector-data
-          emptyDir: {}
-        {{- end }}
-        {{- if .Values.pod.sidecars.ovn_logging_parser }}
-        - name: neutron-etc
-          secret:
-            secretName: neutron-etc
-            defaultMode: 0444
-        {{- end }}
-{{- end }}
diff --git a/charts/ovn/templates/daemonset-controller.yaml b/charts/ovn/templates/daemonset-controller.yaml
index b6b0b04..82b70f7 100644
--- a/charts/ovn/templates/daemonset-controller.yaml
+++ b/charts/ovn/templates/daemonset-controller.yaml
@@ -26,7 +26,33 @@
 
 {{- $configMapName := "ovn-etc" }}
 {{- $serviceAccountName := "ovn-controller" }}
+{{- $serviceAccountNamespace := $envAll.Release.Namespace }}
 {{ tuple $envAll "ovn_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }}
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list", "get"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ovn-controller-list-nodes-rolebinding-{{ $serviceAccountNamespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ $serviceAccountNamespace }}
+roleRef:
+  kind: ClusterRole
+  name: ovn-controller-list-nodes-role-{{ $serviceAccountNamespace }}
+  apiGroup: rbac.authorization.k8s.io
+
 ---
 kind: DaemonSet
 apiVersion: apps/v1
@@ -37,17 +63,14 @@
     configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
   labels:
 {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-    type: hv
 spec:
   selector:
     matchLabels:
 {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
-      type: hv
   template:
     metadata:
       labels:
 {{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-        type: hv
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
@@ -55,19 +78,35 @@
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       hostNetwork: true
+      hostPID: true
+      hostIPC: true
       dnsPolicy: {{ .Values.pod.dns_policy }}
       nodeSelector:
         {{ .Values.labels.ovn_controller.node_selector_key }}: {{ .Values.labels.ovn_controller.node_selector_value }}
       initContainers:
 {{- tuple $envAll "ovn_controller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: get-gw-enabled
+{{ tuple $envAll "ovn_controller_kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              kubectl get node ${NODENAME} -o jsonpath='{.metadata.labels.{{ .Values.labels.ovn_controller_gw.node_selector_key }}}' > /tmp/gw-enabled/gw-enabled
+          env:
+            - name: NODENAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: gw-enabled
+              mountPath: /tmp/gw-enabled
+              readOnly: false
         - name: controller-init
-{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
           command:
             - /tmp/ovn-controller-init.sh
           env:
-            - name: OVN_CMS_OPTIONS
-              value: {{ .Values.conf.ovn_cms_options | quote }}
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -83,14 +122,17 @@
               mountPath: /tmp/auto_bridge_add
               subPath: auto_bridge_add
               readOnly: true
+            - name: gw-enabled
+              mountPath: /tmp/gw-enabled
+              readOnly: true
       containers:
         - name: controller
-          command:
-            - /root/ovnkube.sh
-            - ovn-controller
 {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /root/ovnkube.sh
+            - ovn-controller
 {{ dict "envAll" . "component" "ovn_controller" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           env:
             - name: OVN_DAEMONSET_VERSION
@@ -109,9 +151,57 @@
               value: "no"
           volumeMounts:
             - name: run-openvswitch
-              mountPath: /var/run/ovn
+              mountPath: /run/openvswitch
+            - name: logs
+              mountPath: /var/log/ovn
             - name: run-openvswitch
-              mountPath: /var/run/openvswitch
+              mountPath: /run/ovn
+        {{- if .Values.pod.sidecars.vector }}
+        - name: vector
+{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovn_controller" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - vector
+            - --config
+            - /etc/vector/vector.toml
+          volumeMounts:
+            - name: vector-config
+              mountPath: /etc/vector
+            - name: logs
+              mountPath: /logs
+            - name: vector-data
+              mountPath: /var/lib/vector
+        {{- end }}
+        {{- if .Values.pod.sidecars.ovn_logging_parser }}
+        - name: log-parser
+{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovn_controller" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/ovn-network-logging-parser.sh
+            - start
+          env:
+            - name: VECTOR_HTTP_ENDPOINT
+              value: http://localhost:5001
+          ports:
+            - name: http
+              containerPort: {{ tuple "ovn_logging_parser" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+          volumeMounts:
+            - name: neutron-etc
+              mountPath: /etc/neutron/neutron.conf
+              subPath: neutron.conf
+              readOnly: true
+            - name: ovn-bin
+              mountPath: /tmp/ovn-network-logging-parser.sh
+              subPath: ovn-network-logging-parser.sh
+              readOnly: true
+            - name: ovn-etc
+              mountPath: /etc/neutron/neutron-ovn-network-logging-parser-uwsgi.ini
+              subPath: neutron-ovn-network-logging-parser-uwsgi.ini
+              readOnly: true
+        {{- end }}
       volumes:
         - name: ovn-bin
           configMap:
@@ -125,4 +215,27 @@
           secret:
             secretName: {{ $configMapName }}
             defaultMode: 0444
+        - name: logs
+          hostPath:
+            path: /var/log/ovn
+            type: DirectoryOrCreate
+        - name: run-ovn
+          hostPath:
+            path: /run/ovn
+            type: DirectoryOrCreate
+        - name: gw-enabled
+          emptyDir: {}
+        {{- if .Values.pod.sidecars.vector }}
+        - name: vector-config
+          secret:
+            secretName: ovn-vector-config
+        - name: vector-data
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.pod.sidecars.ovn_logging_parser }}
+        - name: neutron-etc
+          secret:
+            secretName: neutron-etc
+            defaultMode: 0444
+        {{- end }}
 {{- end }}
diff --git a/charts/ovn/templates/deployment-northd.yaml b/charts/ovn/templates/deployment-northd.yaml
index ae31b35..f945bb2 100644
--- a/charts/ovn/templates/deployment-northd.yaml
+++ b/charts/ovn/templates/deployment-northd.yaml
@@ -62,6 +62,7 @@
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "ovn_northd" "container" "northd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           env:
             - name: OVN_DAEMONSET_VERSION
               value: "3"
diff --git a/charts/ovn/templates/statefulset-ovsdb-nb.yaml b/charts/ovn/templates/statefulset-ovsdb-nb.yaml
index 4866074..98e70ad 100644
--- a/charts/ovn/templates/statefulset-ovsdb-nb.yaml
+++ b/charts/ovn/templates/statefulset-ovsdb-nb.yaml
@@ -73,6 +73,7 @@
 {{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" . "component" "ovn_ovsdb_nb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnnbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+
           ports:
             - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@@ -110,7 +111,9 @@
               mountPath: /etc/ovn
       volumes:
         - name: run-openvswitch
-          emptyDir: {}
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
 {{- if not .Values.volume.ovn_ovsdb_nb.enabled }}
         - name: data
           emptyDir: {}
diff --git a/charts/ovn/templates/statefulset-ovsdb-sb.yaml b/charts/ovn/templates/statefulset-ovsdb-sb.yaml
index 92af96d..694348b 100644
--- a/charts/ovn/templates/statefulset-ovsdb-sb.yaml
+++ b/charts/ovn/templates/statefulset-ovsdb-sb.yaml
@@ -110,7 +110,9 @@
               mountPath: /etc/ovn
       volumes:
         - name: run-openvswitch
-          emptyDir: {}
+          hostPath:
+            path: /run/openvswitch
+            type: DirectoryOrCreate
 {{- if not .Values.volume.ovn_ovsdb_sb.enabled }}
         - name: data
           emptyDir: {}
diff --git a/charts/ovn/values.yaml b/charts/ovn/values.yaml
index 5c35a2f..8c99d50 100644
--- a/charts/ovn/values.yaml
+++ b/charts/ovn/values.yaml
@@ -20,11 +20,12 @@
 
 images:
   tags:
-    ovn_ovsdb_nb: docker.io/openstackhelm/ovn:latest-ubuntu_focal
-    ovn_ovsdb_sb: docker.io/openstackhelm/ovn:latest-ubuntu_focal
-    ovn_northd: docker.io/openstackhelm/ovn:latest-ubuntu_focal
-    ovn_controller: docker.io/openstackhelm/ovn:latest-ubuntu_focal
-    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    ovn_ovsdb_nb: docker.io/openstackhelm/ovn:ubuntu_focal
+    ovn_ovsdb_sb: docker.io/openstackhelm/ovn:ubuntu_focal
+    ovn_northd: docker.io/openstackhelm/ovn:ubuntu_focal
+    ovn_controller: docker.io/openstackhelm/ovn:ubuntu_focal
+    ovn_controller_kubectl: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
     image_repo_sync: docker.io/library/docker:17.07.0
     vector: docker.io/timberio/vector:0.39.0-debian
     ovn_logging_parser: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
@@ -37,19 +38,19 @@
 
 labels:
   ovn_ovsdb_nb:
-    node_selector_key: openstack-compute-node
+    node_selector_key: openstack-network-node
     node_selector_value: enabled
   ovn_ovsdb_sb:
-    node_selector_key: openstack-compute-node
+    node_selector_key: openstack-network-node
     node_selector_value: enabled
   ovn_northd:
-    node_selector_key: openstack-compute-node
+    node_selector_key: openstack-network-node
     node_selector_value: enabled
   ovn_controller:
-    node_selector_key: openstack-compute-node
+    node_selector_key: openvswitch
     node_selector_value: enabled
   ovn_controller_gw:
-    node_selector_key: openstack-control-plane
+    node_selector_key: l3-agent
     node_selector_value: enabled
 
 volume:
@@ -72,7 +73,7 @@
 
 conf:
   ovn_cms_options: "availability-zones=nova"
-  gw_ovn_cms_options: "enable-chassis-as-gw,availability-zones=nova"
+  ovn_cms_options_gw_enabled: "enable-chassis-as-gw,availability-zones=nova"
   ovn_encap_type: geneve
   ovn_bridge: br-int
   ovn_bridge_mappings: external:br-ex
@@ -84,10 +85,6 @@
   #   br-public: eth1
   auto_bridge_add: {}
 
-  # NOTE: should be same as nova.conf.use_fqdn.compute
-  use_fqdn:
-    compute: true
-
   ovn_network_logging_parser_uwsgi:
     uwsgi:
       add-header: "Connection: close"
@@ -107,6 +104,9 @@
       wsgi-file: /var/lib/openstack/bin/neutron-ovn-network-logging-parser-wsgi
 
 pod:
+  # NOTE: should be same as nova.pod.use_fqdn.compute
+  use_fqdn:
+    compute: true
   security_context:
     ovn_northd:
       container:
@@ -117,21 +117,11 @@
     ovn_controller:
       container:
         controller_init:
+          readOnlyRootFilesystem: true
           privileged: true
-          runAsUser: 0
         controller:
-          capabilities:
-            add:
-              - SYS_NICE
-    ovn_controller_gw:
-      container:
-        controller_init:
+          readOnlyRootFilesystem: true
           privileged: true
-          runAsUser: 0
-        controller:
-          capabilities:
-            add:
-              - SYS_NICE
         ovn_logging_parser:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -147,8 +137,6 @@
       enabled: false
     ovn_controller:
       enabled: false
-    ovn_controller_gw:
-      enabled: false
   affinity:
     anti:
       type:
@@ -224,10 +212,6 @@
           enabled: true
           min_ready_seconds: 0
           max_unavailable: 1
-        ovn_controller_gw:
-          enabled: true
-          min_ready_seconds: 0
-          max_unavailable: 1
   resources:
     enabled: false
     ovs:
@@ -259,28 +243,20 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
-      ovn_controller_gw:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
-    ovn_controller_gw:
-      ovn_logging_parser:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "256Mi"
-          cpu: "500m"
-      vector:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "256Mi"
-          cpu: "500m"
+    ovn_logging_parser:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "500m"
+    vector:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "500m"
     jobs:
       image_repo_sync:
         requests:
@@ -289,6 +265,7 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
+
   sidecars:
     ovn_logging_parser: false
     vector: false
@@ -387,9 +364,6 @@
   ovn_controller:
     ingress:
       - {}
-  ovn_controller_gw:
-    ingress:
-      - {}
     egress:
       - {}
 
@@ -415,10 +389,6 @@
       services:
         - endpoint: internal
           service: ovn-ovsdb-sb
-    ovn_controller_gw:
-      services:
-        - endpoint: internal
-          service: ovn-ovsdb-sb
       pod:
         - requireSameNode: true
           labels:
@@ -439,6 +409,5 @@
   statefulset_ovn_ovsdb_sb: true
   deployment_ovn_northd: true
   daemonset_ovn_controller: true
-  daemonset_ovn_controller_gw: true
   job_image_repo_sync: true
 ...
diff --git a/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch b/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch
index f8dc4c1..35719dd 100644
--- a/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch
+++ b/charts/patches/ovn/0001-switch-to-ovn-kubernetes.patch
@@ -1,7 +1,7 @@
-diff --git b/ovn/templates/bin/_ovn-controller-init.sh.tpl a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
-index 1e61577d..77e1e687 100644
---- b/ovn/templates/bin/_ovn-controller-init.sh.tpl
-+++ a/ovn/templates/bin/_ovn-controller-init.sh.tpl
+diff --git a/ovn/templates/bin/_ovn-controller-init.sh.tpl b/ovn/templates/bin/_ovn-controller-init.sh.tpl
+index 55cc2ecb..885204a0 100644
+--- a/ovn/templates/bin/_ovn-controller-init.sh.tpl
++++ b/ovn/templates/bin/_ovn-controller-init.sh.tpl
 @@ -14,6 +14,8 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
@@ -10,7 +10,7 @@
 +
  function get_ip_address_from_interface {
    local interface=$1
-   local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}')
+   local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' 'NR==1 {print $1}')
 @@ -75,6 +77,19 @@ function migrate_ip_from_nic {
    set -e
  }
@@ -63,21 +63,22 @@
  
  # Configure OVN remote
  {{- if empty .Values.conf.ovn_remote -}}
-@@ -118,6 +145,9 @@ ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type
- ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}"
- ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}"
- ovs-vsctl set open . external-ids:ovn-cms-options="${OVN_CMS_OPTIONS}"
+@@ -125,6 +152,10 @@ else
+   ovs-vsctl set open . external-ids:ovn-cms-options={{ .Values.conf.ovn_cms_options }}
+ fi
+ 
 +{{ if .Values.conf.ovn_bridge_datapath_type -}}
 +ovs-vsctl set open . external-ids:ovn-bridge-datapath-type="{{ .Values.conf.ovn_bridge_datapath_type }}"
 +{{- end }}
- 
++
  # Configure hostname
- {{- if .Values.conf.use_fqdn.compute }}
-diff --git b/ovn/templates/clusterrole-controller.yaml a/charts/ovn/templates/clusterrole-controller.yaml
+ {{- if .Values.pod.use_fqdn.compute }}
+   ovs-vsctl set open . external-ids:hostname="$(hostname -f)"
+diff --git a/ovn/templates/clusterrole-controller.yaml b/ovn/templates/clusterrole-controller.yaml
 new file mode 100644
 index 00000000..8291f65a
 --- /dev/null
-+++ a/ovn/templates/clusterrole-controller.yaml
++++ b/ovn/templates/clusterrole-controller.yaml
 @@ -0,0 +1,12 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRole
@@ -91,11 +92,11 @@
 +  verbs:
 +  - get
 +  - patch
-diff --git b/ovn/templates/clusterrolebinding-controller.yaml a/charts/ovn/templates/clusterrolebinding-controller.yaml
+diff --git a/ovn/templates/clusterrolebinding-controller.yaml b/ovn/templates/clusterrolebinding-controller.yaml
 new file mode 100644
 index 00000000..c95ef5e9
 --- /dev/null
-+++ a/ovn/templates/clusterrolebinding-controller.yaml
++++ b/ovn/templates/clusterrolebinding-controller.yaml
 @@ -0,0 +1,15 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRoleBinding
@@ -112,10 +113,10 @@
 +- kind: ServiceAccount
 +  name: ovn-controller-gw
 +  namespace: {{ .Release.Namespace }}
-diff --git b/ovn/templates/configmap-bin.yaml a/charts/ovn/templates/configmap-bin.yaml
+diff --git a/ovn/templates/configmap-bin.yaml b/ovn/templates/configmap-bin.yaml
 index a849dd8a..82001f99 100644
---- b/ovn/templates/configmap-bin.yaml
-+++ a/ovn/templates/configmap-bin.yaml
+--- a/ovn/templates/configmap-bin.yaml
++++ b/ovn/templates/configmap-bin.yaml
 @@ -24,12 +24,6 @@ data:
    image-repo-sync.sh: |
  {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
@@ -129,89 +130,10 @@
 -  ovn-controller.sh: |
 -{{ tuple "bin/_ovn-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  {{- end }}
-diff --git b/ovn/templates/daemonset-controller-gw.yaml a/charts/ovn/templates/daemonset-controller-gw.yaml
-index 6307bbab..eb309c5e 100644
---- b/ovn/templates/daemonset-controller-gw.yaml
-+++ a/ovn/templates/daemonset-controller-gw.yaml
-@@ -12,6 +12,15 @@ See the License for the specific language governing permissions and
- limitations under the License.
- */}}
- 
-+{{- define "controllerGatewayReadinessProbeTemplate" }}
-+exec:
-+  command:
-+    - /usr/bin/ovn-kube-util
-+    - readiness-probe
-+    - -t
-+    - ovn-controller
-+{{- end }}
-+
- {{- if .Values.manifests.daemonset_ovn_controller_gw }}
- {{- $envAll := . }}
- 
-@@ -59,6 +68,10 @@ spec:
-           env:
-             - name: OVN_CMS_OPTIONS
-               value: {{ .Values.conf.gw_ovn_cms_options | quote }}
-+            - name: NODE_NAME
-+              valueFrom:
-+                fieldRef:
-+                  fieldPath: spec.nodeName
-           volumeMounts:
-             - name: ovn-bin
-               mountPath: /tmp/ovn-controller-init.sh
-@@ -72,25 +85,33 @@ spec:
-               readOnly: true
-       containers:
-         - name: controller
-+          command:
-+            - /root/ovnkube.sh
-+            - ovn-controller
- {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
- {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- {{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
--          command:
--            - /tmp/ovn-controller.sh
--            - start
--          lifecycle:
--            preStop:
--              exec:
--                command:
--                  - /tmp/ovn-controller.sh
--                  - stop
-+{{ dict "envAll" . "component" "ovn_controller_gw" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerGatewayReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
-+          env:
-+            - name: OVN_DAEMONSET_VERSION
-+              value: "3"
-+            - name: OVN_LOGLEVEL_CONTROLLER
-+              value: "-vconsole:info -vfile:info"
-+            - name: OVN_KUBERNETES_NAMESPACE
-+              valueFrom:
-+                fieldRef:
-+                  fieldPath: metadata.namespace
-+            - name: OVN_KUBERNETES_NB_STATEFULSET
-+              value: ovn-ovsdb-nb
-+            - name: OVN_KUBERNETES_SB_STATEFULSET
-+              value: ovn-ovsdb-sb
-+            - name: OVN_SSL_ENABLE
-+              value: "no"
-           volumeMounts:
--            - name: ovn-bin
--              mountPath: /tmp/ovn-controller.sh
--              subPath: ovn-controller.sh
--              readOnly: true
-             - name: run-openvswitch
--              mountPath: /run/openvswitch
-+              mountPath: /var/run/ovn
-+            - name: run-openvswitch
-+              mountPath: /var/run/openvswitch
-       volumes:
-         - name: ovn-bin
-           configMap:
-diff --git b/ovn/templates/daemonset-controller.yaml a/charts/ovn/templates/daemonset-controller.yaml
-index 85daf70b..b6b0b048 100644
---- b/ovn/templates/daemonset-controller.yaml
-+++ a/ovn/templates/daemonset-controller.yaml
+diff --git a/ovn/templates/daemonset-controller.yaml b/ovn/templates/daemonset-controller.yaml
+index 4cd5d9b2..fae94512 100644
+--- a/ovn/templates/daemonset-controller.yaml
++++ b/ovn/templates/daemonset-controller.yaml
 @@ -12,6 +12,15 @@ See the License for the specific language governing permissions and
  limitations under the License.
  */}}
@@ -228,10 +150,11 @@
  {{- if .Values.manifests.daemonset_ovn_controller }}
  {{- $envAll := . }}
  
-@@ -59,6 +68,10 @@ spec:
-           env:
-             - name: OVN_CMS_OPTIONS
-               value: {{ .Values.conf.ovn_cms_options | quote }}
+@@ -106,6 +106,11 @@ spec:
+ {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
+           command:
+             - /tmp/ovn-controller-init.sh
++          env:
 +            - name: NODE_NAME
 +              valueFrom:
 +                fieldRef:
@@ -239,17 +162,10 @@
            volumeMounts:
              - name: ovn-bin
                mountPath: /tmp/ovn-controller-init.sh
-@@ -72,25 +85,33 @@ spec:
-               readOnly: true
-       containers:
-         - name: controller
-+          command:
-+            - /root/ovnkube.sh
-+            - ovn-controller
- {{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
+@@ -117,17 +122,23 @@ spec:
  {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
  {{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
--          command:
+           command:
 -            - /tmp/ovn-controller.sh
 -            - start
 -          lifecycle:
@@ -258,6 +174,8 @@
 -                command:
 -                  - /tmp/ovn-controller.sh
 -                  - stop
++            - /root/ovnkube.sh
++            - ovn-controller
 +{{ dict "envAll" . "component" "ovn_controller" "container" "controller" "type" "readiness" "probeTemplate" (include "controllerReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
 +          env:
 +            - name: OVN_DAEMONSET_VERSION
@@ -280,17 +198,19 @@
 -              subPath: ovn-controller.sh
 -              readOnly: true
              - name: run-openvswitch
--              mountPath: /run/openvswitch
-+              mountPath: /var/run/ovn
+@@ -154,7 +154,7 @@ spec:
+               mountPath: /run/openvswitch
+             - name: logs
+               mountPath: /var/log/ovn
+-            - name: run-ovn
 +            - name: run-openvswitch
-+              mountPath: /var/run/openvswitch
-       volumes:
-         - name: ovn-bin
-           configMap:
-diff --git b/ovn/templates/deployment-northd.yaml a/charts/ovn/templates/deployment-northd.yaml
+               mountPath: /run/ovn
+         {{- if .Values.pod.sidecars.vector }}
+         - name: vector
+diff --git a/ovn/templates/deployment-northd.yaml b/ovn/templates/deployment-northd.yaml
 index e3afdd05..ae31b357 100644
---- b/ovn/templates/deployment-northd.yaml
-+++ a/ovn/templates/deployment-northd.yaml
+--- a/ovn/templates/deployment-northd.yaml
++++ b/ovn/templates/deployment-northd.yaml
 @@ -12,18 +12,13 @@ See the License for the specific language governing permissions and
  limitations under the License.
  */}}
@@ -315,7 +235,7 @@
  {{- end }}
  
  {{- if .Values.manifests.deployment_northd }}
-@@ -60,28 +55,26 @@ spec:
+@@ -60,28 +55,27 @@ spec:
  {{- tuple $envAll "ovn_northd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        containers:
          - name: northd
@@ -347,6 +267,7 @@
 -            name: ovn-bin
 -            defaultMode: 0555
 +{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
++{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "northdReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
 +          env:
 +            - name: OVN_DAEMONSET_VERSION
 +              value: "3"
@@ -363,11 +284,11 @@
 +            - name: OVN_SSL_ENABLE
 +              value: "no"
  {{- end }}
-diff --git b/ovn/templates/role-controller.yaml a/charts/ovn/templates/role-controller.yaml
+diff --git a/ovn/templates/role-controller.yaml b/ovn/templates/role-controller.yaml
 new file mode 100644
 index 00000000..de3cfa6d
 --- /dev/null
-+++ a/ovn/templates/role-controller.yaml
++++ b/ovn/templates/role-controller.yaml
 @@ -0,0 +1,11 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: Role
@@ -380,11 +301,11 @@
 +  - endpointslices
 +  verbs:
 +  - list
-diff --git b/ovn/templates/role-northd.yaml a/charts/ovn/templates/role-northd.yaml
+diff --git a/ovn/templates/role-northd.yaml b/ovn/templates/role-northd.yaml
 new file mode 100644
 index 00000000..ca02fae6
 --- /dev/null
-+++ a/ovn/templates/role-northd.yaml
++++ b/ovn/templates/role-northd.yaml
 @@ -0,0 +1,11 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: Role
@@ -397,11 +318,11 @@
 +  - endpointslices
 +  verbs:
 +  - list
-diff --git b/ovn/templates/role-ovsdb.yaml a/charts/ovn/templates/role-ovsdb.yaml
+diff --git a/ovn/templates/role-ovsdb.yaml b/ovn/templates/role-ovsdb.yaml
 new file mode 100644
 index 00000000..10e0e239
 --- /dev/null
-+++ a/ovn/templates/role-ovsdb.yaml
++++ b/ovn/templates/role-ovsdb.yaml
 @@ -0,0 +1,19 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: Role
@@ -422,11 +343,11 @@
 +  verbs:
 +  - list
 +  - get
-diff --git b/ovn/templates/rolebinding-controller.yaml a/charts/ovn/templates/rolebinding-controller.yaml
+diff --git a/ovn/templates/rolebinding-controller.yaml b/ovn/templates/rolebinding-controller.yaml
 new file mode 100644
 index 00000000..7973c7e2
 --- /dev/null
-+++ a/ovn/templates/rolebinding-controller.yaml
++++ b/ovn/templates/rolebinding-controller.yaml
 @@ -0,0 +1,13 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: RoleBinding
@@ -441,11 +362,11 @@
 +  name: ovn-controller
 +- kind: ServiceAccount
 +  name: ovn-controller-gw
-diff --git b/ovn/templates/rolebinding-northd.yaml a/charts/ovn/templates/rolebinding-northd.yaml
+diff --git a/ovn/templates/rolebinding-northd.yaml b/ovn/templates/rolebinding-northd.yaml
 new file mode 100644
 index 00000000..428a4707
 --- /dev/null
-+++ a/ovn/templates/rolebinding-northd.yaml
++++ b/ovn/templates/rolebinding-northd.yaml
 @@ -0,0 +1,11 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: RoleBinding
@@ -458,11 +379,11 @@
 +subjects:
 +- kind: ServiceAccount
 +  name: ovn-northd
-diff --git b/ovn/templates/rolebinding-ovsdb.yaml a/charts/ovn/templates/rolebinding-ovsdb.yaml
+diff --git a/ovn/templates/rolebinding-ovsdb.yaml b/ovn/templates/rolebinding-ovsdb.yaml
 new file mode 100644
 index 00000000..f32382bc
 --- /dev/null
-+++ a/ovn/templates/rolebinding-ovsdb.yaml
++++ b/ovn/templates/rolebinding-ovsdb.yaml
 @@ -0,0 +1,13 @@
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: RoleBinding
@@ -477,10 +398,10 @@
 +  name: ovn-ovsdb-nb
 +- kind: ServiceAccount
 +  name: ovn-ovsdb-sb
-diff --git b/ovn/templates/service-ovsdb-nb.yaml a/charts/ovn/templates/service-ovsdb-nb.yaml
+diff --git a/ovn/templates/service-ovsdb-nb.yaml b/ovn/templates/service-ovsdb-nb.yaml
 index b93da9b8..56f7cd09 100644
---- b/ovn/templates/service-ovsdb-nb.yaml
-+++ a/ovn/templates/service-ovsdb-nb.yaml
+--- a/ovn/templates/service-ovsdb-nb.yaml
++++ b/ovn/templates/service-ovsdb-nb.yaml
 @@ -20,6 +20,7 @@ kind: Service
  metadata:
    name: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
@@ -489,10 +410,10 @@
    ports:
      - name: ovsdb
        port: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-diff --git b/ovn/templates/service-ovsdb-sb.yaml a/charts/ovn/templates/service-ovsdb-sb.yaml
+diff --git a/ovn/templates/service-ovsdb-sb.yaml b/ovn/templates/service-ovsdb-sb.yaml
 index 70f62c6e..4a6b5864 100644
---- b/ovn/templates/service-ovsdb-sb.yaml
-+++ a/ovn/templates/service-ovsdb-sb.yaml
+--- a/ovn/templates/service-ovsdb-sb.yaml
++++ b/ovn/templates/service-ovsdb-sb.yaml
 @@ -20,6 +20,7 @@ kind: Service
  metadata:
    name: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
@@ -501,10 +422,10 @@
    ports:
      - name: ovsdb
        port: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-diff --git b/ovn/templates/statefulset-ovsdb-nb.yaml a/charts/ovn/templates/statefulset-ovsdb-nb.yaml
-index c8198279..4866074e 100644
---- b/ovn/templates/statefulset-ovsdb-nb.yaml
-+++ a/ovn/templates/statefulset-ovsdb-nb.yaml
+diff --git a/ovn/templates/statefulset-ovsdb-nb.yaml b/ovn/templates/statefulset-ovsdb-nb.yaml
+index 04958165..98e70ada 100644
+--- a/ovn/templates/statefulset-ovsdb-nb.yaml
++++ b/ovn/templates/statefulset-ovsdb-nb.yaml
 @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and
  limitations under the License.
  */}}
@@ -533,7 +454,7 @@
    replicas: {{ .Values.pod.replicas.ovn_ovsdb_nb }}
    selector:
      matchLabels:
-@@ -49,41 +63,54 @@ spec:
+@@ -49,43 +63,57 @@ spec:
  {{- tuple $envAll "ovn_ovsdb_nb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        containers:
          - name: ovsdb
@@ -547,6 +468,7 @@
  {{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }}
  {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 +{{ dict "envAll" . "component" "ovn_ovsdb_nb" "container" "ovsdb" "type" "readiness" "probeTemplate" (include "ovnnbReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
++
            ports:
              - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
              - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "raft" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@@ -602,7 +524,9 @@
 +              mountPath: /etc/ovn
        volumes:
          - name: run-openvswitch
-           emptyDir: {}
+           hostPath:
+             path: /run/openvswitch
+             type: DirectoryOrCreate
 -        - name: ovn-bin
 -          configMap:
 -            name: ovn-bin
@@ -610,10 +534,10 @@
  {{- if not .Values.volume.ovn_ovsdb_nb.enabled }}
          - name: data
            emptyDir: {}
-diff --git b/ovn/templates/statefulset-ovsdb-sb.yaml a/charts/ovn/templates/statefulset-ovsdb-sb.yaml
-index 916ef94d..92af96de 100644
---- b/ovn/templates/statefulset-ovsdb-sb.yaml
-+++ a/ovn/templates/statefulset-ovsdb-sb.yaml
+diff --git a/ovn/templates/statefulset-ovsdb-sb.yaml b/ovn/templates/statefulset-ovsdb-sb.yaml
+index 9e7b6670..694348b2 100644
+--- a/ovn/templates/statefulset-ovsdb-sb.yaml
++++ b/ovn/templates/statefulset-ovsdb-sb.yaml
 @@ -12,6 +12,19 @@ See the License for the specific language governing permissions and
  limitations under the License.
  */}}
@@ -642,7 +566,7 @@
    replicas: {{ .Values.pod.replicas.ovn_ovsdb_sb }}
    selector:
      matchLabels:
-@@ -49,41 +63,54 @@ spec:
+@@ -49,43 +63,56 @@ spec:
  {{- tuple $envAll "ovn_ovsdb_sb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        containers:
          - name: ovsdb
@@ -711,7 +635,9 @@
 +              mountPath: /etc/ovn
        volumes:
          - name: run-openvswitch
-           emptyDir: {}
+           hostPath:
+             path: /run/openvswitch
+             type: DirectoryOrCreate
 -        - name: ovn-bin
 -          configMap:
 -            name: ovn-bin
@@ -719,7 +645,7 @@
  {{- if not .Values.volume.ovn_ovsdb_sb.enabled }}
          - name: data
            emptyDir: {}
-@@ -93,10 +120,10 @@ spec:
+@@ -95,10 +122,10 @@ spec:
          name: data
        spec:
          accessModes: ["ReadWriteOnce"]
@@ -731,11 +657,11 @@
  {{- end }}
  
  {{- end }}
-diff --git b/ovn/values.yaml a/charts/ovn/values.yaml
-index 518dd71e..214dd16f 100644
---- b/ovn/values.yaml
-+++ a/ovn/values.yaml
-@@ -52,12 +52,10 @@ labels:
+diff --git a/ovn/values.yaml b/ovn/values.yaml
+index a18184ab..b07a0f5a 100644
+--- a/ovn/values.yaml
++++ b/ovn/values.yaml
+@@ -51,12 +51,10 @@ labels:
  
  volume:
    ovn_ovsdb_nb:
@@ -757,7 +683,7 @@
  
    # auto_bridge_add:
    #   br-private: eth0
-@@ -138,13 +138,41 @@ pod:
+@@ -135,13 +135,41 @@ pod:
          readiness:
            enabled: true
            params:
@@ -804,7 +730,7 @@
    dns_policy: "ClusterFirstWithHostNet"
    replicas:
      ovn_ovsdb_nb: 1
-@@ -179,18 +207,18 @@ pod:
+@@ -176,18 +204,18 @@ pod:
      ovs:
        ovn_ovsdb_nb:
          requests:
diff --git a/charts/patches/ovn/0002-add-logging-parser.patch b/charts/patches/ovn/0002-add-logging-parser.patch
index f964369..69a74a0 100644
--- a/charts/patches/ovn/0002-add-logging-parser.patch
+++ b/charts/patches/ovn/0002-add-logging-parser.patch
@@ -69,21 +69,19 @@
  {{- end }}
  {{- end }}
  
-diff --git a/ovn/templates/daemonset-controller-gw.yaml b/ovn/templates/daemonset-controller-gw.yaml
-index eb309c5e..3ecd81dc 100644
---- a/ovn/templates/daemonset-controller-gw.yaml
-+++ b/ovn/templates/daemonset-controller-gw.yaml
-@@ -112,6 +112,54 @@ spec:
-               mountPath: /var/run/ovn
-             - name: run-openvswitch
-               mountPath: /var/run/openvswitch
-+            - name: shared
-+              mountPath: /var/log/ovn/
+diff --git a/ovn/templates/daemonset-controller.yaml b/ovn/templates/daemonset-controller.yaml
+index e421794f..843cbeaa 100644
+--- a/ovn/templates/daemonset-controller.yaml
++++ b/ovn/templates/daemonset-controller.yaml
+@@ -156,6 +156,52 @@ spec:
+               mountPath: /var/log/ovn
+             - name: run-ovn
+               mountPath: /run/ovn
 +        {{- if .Values.pod.sidecars.vector }}
 +        - name: vector
 +{{ tuple $envAll "vector" | include "helm-toolkit.snippets.image" | indent 10 }}
-+{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-+{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
++{{ tuple $envAll $envAll.Values.pod.resources.vector | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
++{{ dict "envAll" $envAll "application" "ovn_controller" "container" "vector" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 +          command:
 +            - vector
 +            - --config
@@ -91,7 +89,7 @@
 +          volumeMounts:
 +            - name: vector-config
 +              mountPath: /etc/vector
-+            - name: shared
++            - name: logs
 +              mountPath: /logs
 +            - name: vector-data
 +              mountPath: /var/lib/vector
@@ -99,8 +97,8 @@
 +        {{- if .Values.pod.sidecars.ovn_logging_parser }}
 +        - name: log-parser
 +{{ tuple $envAll "ovn_logging_parser" | include "helm-toolkit.snippets.image" | indent 10 }}
-+{{ tuple $envAll $envAll.Values.pod.resources.ovn_controller_gw.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-+{{ dict "envAll" $envAll "application" "ovn_controller_gw" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
++{{ tuple $envAll $envAll.Values.pod.resources.ovn_logging_parser | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
++{{ dict "envAll" $envAll "application" "ovn_controller" "container" "ovn_logging_parser" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 +          command:
 +            - /tmp/ovn-network-logging-parser.sh
 +            - start
@@ -128,12 +126,10 @@
        volumes:
          - name: ovn-bin
            configMap:
-@@ -125,4 +173,19 @@ spec:
-           secret:
-             secretName: {{ $configMapName }}
-             defaultMode: 0444
-+        - name: shared
-+          emptyDir: {}
+@@ -225,4 +225,17 @@
+             type: DirectoryOrCreate
+         - name: gw-enabled
+           emptyDir: {}
 +        {{- if .Values.pod.sidecars.vector }}
 +        - name: vector-config
 +          secret:
@@ -211,21 +207,20 @@
 +    tenant_id = "{{`{{ project_id }}`}}"
 +{{- end }}
 diff --git a/ovn/values.yaml b/ovn/values.yaml
-index 214dd16f..d0f2406b 100644
---- a/ovn/values.yaml
-+++ b/ovn/values.yaml
-@@ -26,6 +26,8 @@ images:
-     ovn_controller: docker.io/openstackhelm/ovn:latest-ubuntu_focal
-     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+index b07a0f5a..79fde2c2 100644
+--- a/ovn//values.yaml
++++ b/ovn//values.yaml
+@@ -26,5 +26,7 @@ images:
+     dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
      image_repo_sync: docker.io/library/docker:17.07.0
 +    vector: docker.io/timberio/vector:0.39.0-debian
 +    ovn_logging_parser: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
    pull_policy: "IfNotPresent"
    local_registry:
      active: false
-@@ -86,6 +88,24 @@ conf:
-   use_fqdn:
-     compute: true
+@@ -82,6 +84,24 @@ conf:
+   #   br-public: eth1
+   auto_bridge_add: {}
  
 +  ovn_network_logging_parser_uwsgi:
 +    uwsgi:
@@ -246,12 +241,12 @@
 +      wsgi-file: /var/lib/openstack/bin/neutron-ovn-network-logging-parser-wsgi
 +
  pod:
-   security_context:
-     ovn_northd:
-@@ -112,6 +132,12 @@ pod:
-           capabilities:
-             add:
-               - SYS_NICE
+   # NOTE: should be same as nova.pod.use_fqdn.compute
+   use_fqdn:
+@@ -109,6 +129,12 @@ pod:
+         controller:
+           readOnlyRootFilesystem: true
+           privileged: true
 +        ovn_logging_parser:
 +          allowPrivilegeEscalation: false
 +          readOnlyRootFilesystem: true
@@ -261,39 +256,40 @@
    tolerations:
      ovn_ovsdb_nb:
        enabled: false
-@@ -240,6 +266,21 @@ pod:
+@@ -237,6 +263,20 @@ pod:
          limits:
            memory: "1024Mi"
            cpu: "2000m"
-+    ovn_controller_gw:
-+      ovn_logging_parser:
-+        requests:
-+          memory: "128Mi"
-+          cpu: "100m"
-+        limits:
-+          memory: "256Mi"
-+          cpu: "500m"
-+      vector:
-+        requests:
-+          memory: "128Mi"
-+          cpu: "100m"
-+        limits:
-+          memory: "256Mi"
-+          cpu: "500m"
++    ovn_logging_parser:
++      requests:
++        memory: "128Mi"
++        cpu: "100m"
++      limits:
++        memory: "256Mi"
++        cpu: "500m"
++    vector:
++      requests:
++        memory: "128Mi"
++        cpu: "100m"
++      limits:
++        memory: "256Mi"
++        cpu: "500m"
      jobs:
        image_repo_sync:
          requests:
-@@ -248,6 +289,9 @@ pod:
+@@ -245,7 +286,11 @@ pod:
          limits:
            memory: "1024Mi"
            cpu: "2000m"
+ 
 +  sidecars:
 +    ovn_logging_parser: false
 +    vector: false
- 
++
  secrets:
    oci_image_registry:
-@@ -311,6 +355,22 @@ endpoints:
+     ovn: ovn-oci-image-registry-key
+@@ -304,6 +349,22 @@ endpoints:
          default: 6642
        raft:
          default: 6644
@@ -316,80 +312,3 @@
  
  network_policy:
    ovn_ovsdb_nb:
-diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
-index 7032319b..992091b6 100644
---- a/images/neutron/Dockerfile
-+++ b/images/neutron/Dockerfile
-@@ -13,12 +13,16 @@ RUN git -C /src/neutron-vpnaas fetch --unshallow
- ARG POLICY_SERVER_GIT_REF=4a86b140d5510823a8fb8a59137feddf5b111b26
- ADD --keep-git-dir=true https://github.com/vexxhost/neutron-policy-server.git#${POLICY_SERVER_GIT_REF} /src/neutron-policy-server
- RUN git -C /src/neutron-policy-server fetch --unshallow
-+ARG LOG_PASER_GIT_REF=3bc113d9fc0eb3264feca5900e550f6ed15503c2
-+ADD --keep-git-dir=true https://github.com/vexxhost/neutron-ovn-network-logging-parser.git#${LOG_PASER_GIT_REF} /src/neutron-ovn-network-logging-parser
-+RUN git -C /src/neutron-ovn-network-logging-parser fetch --unshallow
- RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
- pip3 install \
-     --constraint /upper-constraints.txt \
-         /src/neutron \
-         /src/neutron-vpnaas \
--        /src/neutron-policy-server
-+        /src/neutron-policy-server \
-+        /src/neutron-ovn-network-logging-parser
- EOF
- 
- FROM registry.atmosphere.dev/library/openstack-python-runtime:${RELEASE}
-diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
-index ff60d44a..2904e8de 100644
---- a/roles/defaults/vars/main.yml
-+++ b/roles/defaults/vars/main.yml
-@@ -173,6 +173,7 @@ _atmosphere_images:
-   openvswitch_db_server: "registry.atmosphere.dev/library/openvswitch:{{ atmosphere_release }}"
-   openvswitch_vswitchd: "registry.atmosphere.dev/library/openvswitch:{{ atmosphere_release }}"
-   ovn_controller: "registry.atmosphere.dev/library/ovn-host:{{ atmosphere_release }}"
-+  ovn_logging_parser: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
-   ovn_northd: "registry.atmosphere.dev/library/ovn-central:{{ atmosphere_release }}"
-   ovn_ovsdb_nb: "registry.atmosphere.dev/library/ovn-central:{{ atmosphere_release }}"
-   ovn_ovsdb_sb: "registry.atmosphere.dev/library/ovn-central:{{ atmosphere_release }}"
-diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
-index fc587502..5c814499 100644
---- a/roles/neutron/vars/main.yml
-+++ b/roles/neutron/vars/main.yml
-@@ -70,6 +70,8 @@ __neutron_helm_values:
-         metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
-     plugins:
-       ml2_conf:
-+        agent:
-+          extensions: "log"
-         ml2:
-           extension_drivers: dns_domain_ports,port_security,qos
-           type_drivers: flat,gre,vlan,vxlan
-@@ -85,7 +87,7 @@ __neutron_ovn_helm_values:
-   conf:
-     neutron:
-       DEFAULT:
--        service_plugins: qos,ovn-router,segments,trunk
-+        service_plugins: qos,ovn-router,segments,trunk,log
-       ovn:
-         ovn_emit_need_to_frag: true
-     ovn_metadata_agent:
-diff --git a/roles/ovn/defaults/main.yml b/roles/ovn/defaults/main.yml
-index b9045986..a6ebdb96 100644
---- a/roles/ovn/defaults/main.yml
-+++ b/roles/ovn/defaults/main.yml
-@@ -18,3 +18,5 @@ ovn_helm_chart_ref: /usr/local/src/ovn
- 
- ovn_helm_release_namespace: openstack
- ovn_helm_values: {}
-+
-+ovn_network_logging_parser_enabled: true
-diff --git a/roles/ovn/vars/main.yml b/roles/ovn/vars/main.yml
-index 59d9c209..603b4edf 100644
---- a/roles/ovn/vars/main.yml
-+++ b/roles/ovn/vars/main.yml
-@@ -35,3 +35,6 @@ _ovn_helm_values:
-       ovn_ovsdb_nb: 3
-       ovn_ovsdb_sb: 3
-       ovn_northd: 3
-+    sidecars:
-+      ovn_logging_parser: "{{ ovn_network_logging_parser_enabled }}"
-+      vector: "{{ ovn_network_logging_parser_enabled }}"
diff --git a/charts/patches/ovn/0003-oci-image-registry-secret.patch b/charts/patches/ovn/0003-oci-image-registry-secret.patch
deleted file mode 100644
index 904f3ab..0000000
--- a/charts/patches/ovn/0003-oci-image-registry-secret.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/ovn/values.yaml b/ovn/values.yaml
-index 4171db47..2df5c38c 100644
---- a/ovn/values.yaml
-+++ b/ovn/values.yaml
-@@ -295,11 +295,7 @@ pod:
-
- secrets:
-   oci_image_registry:
--    ovn_ovsdb_nb: ovn-ovsdb-nb-oci-image-registry-key
--    ovn_ovsdb_sb: ovn-ovsdb-sb-oci-image-registry-key
--    ovn_northd: ovn-northd-oci-image-registry-key
--    ovn_controller: ovn-controller-oci-image-registry-key
--    ovn_controller_gw: ovn-controller-gw-oci-image-registry-key
-+    ovn: ovn-oci-image-registry-key
diff --git a/molecule/aio/group_vars/all/molecule.yml b/molecule/aio/group_vars/all/molecule.yml
index 898f142..7cb93a8 100644
--- a/molecule/aio/group_vars/all/molecule.yml
+++ b/molecule/aio/group_vars/all/molecule.yml
@@ -125,8 +125,6 @@
       ovn_ovsdb_nb: 1
       ovn_ovsdb_sb: 1
       ovn_northd: 1
-  manifests:
-    daemonset_ovn_controller: false
 
 coredns_helm_values:
   replicaCount: 1
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index 64bfd3f..5835207 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -185,6 +185,7 @@
   openvswitch_db_server: "registry.atmosphere.dev/library/openvswitch:{{ atmosphere_release }}"
   openvswitch_vswitchd: "registry.atmosphere.dev/library/openvswitch:{{ atmosphere_release }}"
   ovn_controller: "registry.atmosphere.dev/library/ovn-host:{{ atmosphere_release }}"
+  ovn_controller_kubectl: "registry.atmosphere.dev/library/ovn-host:{{ atmosphere_release }}"
   ovn_logging_parser: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
   ovn_northd: "registry.atmosphere.dev/library/ovn-central:{{ atmosphere_release }}"
   ovn_ovsdb_nb: "registry.atmosphere.dev/library/ovn-central:{{ atmosphere_release }}"
diff --git a/roles/ovn/vars/main.yml b/roles/ovn/vars/main.yml
index 603b4ed..994894f 100644
--- a/roles/ovn/vars/main.yml
+++ b/roles/ovn/vars/main.yml
@@ -25,6 +25,9 @@
     ovn_northd:
       node_selector_key: openstack-control-plane
       node_selector_value: enabled
+    ovn_controller_gw:
+      node_selector_key: openstack-control-plane
+      node_selector_value: enabled
   volume:
     ovn_ovsdb_nb:
       size: 20Gi