chore: bump charts
diff --git a/charts/cinder/Chart.yaml b/charts/cinder/Chart.yaml
index c769da8..06d521e 100644
--- a/charts/cinder/Chart.yaml
+++ b/charts/cinder/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/cinder
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.25
+version: 0.3.2
diff --git a/charts/cinder/charts/helm-toolkit/Chart.yaml b/charts/cinder/charts/helm-toolkit/Chart.yaml
index 4f9e6e5..12e2dd2 100644
--- a/charts/cinder/charts/helm-toolkit/Chart.yaml
+++ b/charts/cinder/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.46
+version: 0.2.50
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 70e64cc..4c476b2 100644
--- a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
 {{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
 {{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..687851e 100644
--- a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +424,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +486,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +497,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +547,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +568,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/requirements.lock b/charts/cinder/requirements.lock
index a35c5a5..57e368f 100644
--- a/charts/cinder/requirements.lock
+++ b/charts/cinder/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.46
-digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
-generated: "2022-08-17T17:14:30.083437397Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:15.656648671Z"
diff --git a/charts/cinder/templates/configmap-etc.yaml b/charts/cinder/templates/configmap-etc.yaml
index a2ad5f2..fe73a88 100644
--- a/charts/cinder/templates/configmap-etc.yaml
+++ b/charts/cinder/templates/configmap-etc.yaml
@@ -94,7 +94,7 @@
 {{- end -}}
 
 {{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}}
-{{- $_ := tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
+{{- $_ := tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
 {{- end -}}
 
 {{- if .Values.conf.cinder.service_user.send_service_user_token -}}
@@ -158,10 +158,10 @@
 {{- $filePrefix := replace "_" "-"  $key }}
   {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
 {{- end }}
-{{- if .Values.backup.external_ceph_rbd.enabled }}
+{{- if and .Values.backup.external_ceph_rbd.enabled (not .Values.backup.external_ceph_rbd.configmap) }}
   external-backup-ceph.conf: {{ include "helm-toolkit.utils.to_ini" .Values.backup.external_ceph_rbd.conf | b64enc }}
 {{- end }}
-{{- if .Values.ceph_client.enable_external_ceph_backend }}
+{{- if and .Values.ceph_client.enable_external_ceph_backend (not .Values.ceph_client.external_ceph.configmap) }}
   external-ceph.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.ceph_client.external_ceph.conf | b64enc }}
 {{- end }}
 {{- end }}
diff --git a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
index c1c317c..1d935f1 100644
--- a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
+++ b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -64,6 +64,11 @@
 {{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
 {{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+              env:
+                - name: REQUESTS_CA_BUNDLE
+                  value: "/etc/cinder/certs/ca.crt"
+{{- end }}
               command:
                 - /tmp/volume-usage-audit.sh
               volumeMounts:
@@ -85,6 +90,7 @@
                   mountPath: /tmp/volume-usage-audit.sh
                   subPath: volume-usage-audit.sh
                   readOnly: true
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
@@ -101,6 +107,7 @@
               configMap:
                 name: cinder-bin
                 defaultMode: 0555
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
diff --git a/charts/cinder/templates/deployment-api.yaml b/charts/cinder/templates/deployment-api.yaml
index 7925c60..b3e6be1 100644
--- a/charts/cinder/templates/deployment-api.yaml
+++ b/charts/cinder/templates/deployment-api.yaml
@@ -80,6 +80,11 @@
           command:
             - /tmp/cinder-api.sh
             - start
+          env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/cinder/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -88,13 +93,17 @@
                   - stop
           ports:
             - name: c-api
-              containerPort: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
-              port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
-            tcpSocket:
-              port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 30
             failureThreshold: 3
             periodSeconds: 10
@@ -156,7 +165,7 @@
               readOnly: true
             {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -179,7 +188,7 @@
           emptyDir: {}
         {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/cinder/templates/deployment-backup.yaml b/charts/cinder/templates/deployment-backup.yaml
index b4a429b..6107775 100644
--- a/charts/cinder/templates/deployment-backup.yaml
+++ b/charts/cinder/templates/deployment-backup.yaml
@@ -189,6 +189,11 @@
               mountPath: /etc/ceph/ceph.conf
               subPath: ceph.conf
               readOnly: true
+            {{- else if .Values.backup.external_ceph_rbd.configmap }}
+            - name: external-backup-ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
             {{- else }}
             - name: cinder-etc
               mountPath: /etc/ceph/ceph.conf
@@ -207,10 +212,17 @@
               readOnly: true
             {{- end }}
             {{- if .Values.ceph_client.enable_external_ceph_backend }}
+            {{- if .Values.ceph_client.external_ceph.configmap }}
+            - name: external-ceph-etc
+              mountPath: /etc/ceph/external-ceph.conf
+              subPath: external-ceph.conf
+              readOnly: true
+            {{- else }}
             - name: cinder-etc
               mountPath: /etc/ceph/external-ceph.conf
               subPath: external-ceph.conf
               readOnly: true
+            {{- end }}
             {{- if .Values.ceph_client.external_ceph.rbd_user }}
             - name: external-ceph-keyring
               mountPath: /tmp/external-ceph-client-keyring
@@ -289,10 +301,22 @@
         {{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
         - name: etcceph
           emptyDir: {}
+        {{- if and .Values.backup.external_ceph_rbd.enabled .Values.backup.external_ceph_rbd.configmap }}
+        - name: external-backup-ceph-etc
+          configMap:
+            name: {{ .Values.backup.external_ceph_rbd.configmap }}
+            defaultMode: 0444
+        {{- end }}
         - name: ceph-etc
           configMap:
             name: {{ .Values.ceph_client.configmap }}
             defaultMode: 0444
+        {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.configmap }}
+        - name: external-ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.external_ceph.configmap }}
+            defaultMode: 0444
+        {{- end }}
         {{ end }}
         {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
         - name: ceph-backup-keyring
diff --git a/charts/cinder/templates/deployment-volume.yaml b/charts/cinder/templates/deployment-volume.yaml
index 135672a..0fccd46 100644
--- a/charts/cinder/templates/deployment-volume.yaml
+++ b/charts/cinder/templates/deployment-volume.yaml
@@ -131,9 +131,9 @@
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: INTERNAL_PROJECT_NAME
@@ -150,6 +150,11 @@
 {{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/cinder-volume.sh
+          env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/cinder/certs/ca.crt"
+{{- end }}
           terminationMessagePath: /var/log/termination-log
           volumeMounts:
             - name: pod-tmp
@@ -188,10 +193,17 @@
               subPath: key
               readOnly: true
             {{- if .Values.ceph_client.enable_external_ceph_backend }}
+            {{- if .Values.ceph_client.external_ceph.configmap }}
+            - name: external-ceph-etc
+              mountPath: /etc/ceph/external-ceph.conf
+              subPath: external-ceph.conf
+              readOnly: true
+            {{- else }}
             - name: cinder-etc
               mountPath: /etc/ceph/external-ceph.conf
               subPath: external-ceph.conf
               readOnly: true
+            {{- end }}
             {{- if .Values.ceph_client.external_ceph.rbd_user }}
             - name: external-ceph-keyring
               mountPath: /tmp/external-ceph-client-keyring
@@ -269,7 +281,7 @@
               mountPropagation: HostToContainer
               {{- end }}
             {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
@@ -295,6 +307,12 @@
           configMap:
             name: {{ .Values.ceph_client.configmap }}
             defaultMode: 0444
+        {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.configmap }}
+        - name: external-ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.external_ceph.configmap }}
+            defaultMode: 0444
+        {{- end }}
         - name: ceph-keyring
           secret:
             secretName: {{ .Values.secrets.rbd.volume | quote }}
@@ -333,7 +351,7 @@
             path: /sys
         {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/cinder/templates/job-bootstrap.yaml b/charts/cinder/templates/job-bootstrap.yaml
index 0db5409..a7b590e 100644
--- a/charts/cinder/templates/job-bootstrap.yaml
+++ b/charts/cinder/templates/job-bootstrap.yaml
@@ -19,7 +19,7 @@
 
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.cinder.enabled -}}
diff --git a/charts/cinder/templates/job-create-internal-tenant.yaml b/charts/cinder/templates/job-create-internal-tenant.yaml
index b298e36..78de218 100644
--- a/charts/cinder/templates/job-create-internal-tenant.yaml
+++ b/charts/cinder/templates/job-create-internal-tenant.yaml
@@ -68,9 +68,9 @@
               mountPath: /tmp/create-internal-tenant.sh
               subPath: create-internal-tenant.sh
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_SERVICE_NAME
@@ -97,5 +97,5 @@
           configMap:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end -}}
diff --git a/charts/cinder/templates/job-ks-endpoints.yaml b/charts/cinder/templates/job-ks-endpoints.yaml
index 6b0493d..99d5360 100644
--- a/charts/cinder/templates/job-ks-endpoints.yaml
+++ b/charts/cinder/templates/job-ks-endpoints.yaml
@@ -19,7 +19,7 @@
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/job-ks-service.yaml b/charts/cinder/templates/job-ks-service.yaml
index 3299506..159f66a 100644
--- a/charts/cinder/templates/job-ks-service.yaml
+++ b/charts/cinder/templates/job-ks-service.yaml
@@ -25,7 +25,7 @@
 {{- end }}
 {{- end }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/job-ks-user.yaml b/charts/cinder/templates/job-ks-user.yaml
index 4cd671d..78f48cf 100644
--- a/charts/cinder/templates/job-ks-user.yaml
+++ b/charts/cinder/templates/job-ks-user.yaml
@@ -19,7 +19,7 @@
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/service-api.yaml b/charts/cinder/templates/service-api.yaml
index 86d6b6f..d053063 100644
--- a/charts/cinder/templates/service-api.yaml
+++ b/charts/cinder/templates/service-api.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
     - name: c-api
-      port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.api.node_port.enabled }}
       nodePort: {{ .Values.network.api.node_port.port }}
     {{ end }}
diff --git a/charts/cinder/values.yaml b/charts/cinder/values.yaml
index 647a049..7633d97 100644
--- a/charts/cinder/values.yaml
+++ b/charts/cinder/values.yaml
@@ -43,20 +43,20 @@
 images:
   tags:
     test: docker.io/xrally/xrally-openstack:2.0.0
-    db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    cinder_db_sync: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
-    db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    cinder_db_sync: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
     rabbit_init: docker.io/rabbitmq:3.7-management
-    ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    cinder_api: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
-    bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
-    cinder_scheduler: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
-    cinder_volume: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
-    cinder_volume_usage_audit: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    cinder_api: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+    cinder_scheduler: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+    cinder_volume: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+    cinder_volume_usage_audit: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
     cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
-    cinder_backup: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+    cinder_backup: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
     cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
     image_repo_sync: docker.io/docker:17.07.0
@@ -140,6 +140,9 @@
           runAsUser: 0
           readOnlyRootFilesystem: true
         cinder_volume:
+          capabilities:
+            add:
+              - SYS_ADMIN
           readOnlyRootFilesystem: true
     storage_init:
       pod:
@@ -422,6 +425,7 @@
     # secret for external ceph keyring will be created.
     rbd_user: null
     rbd_user_keyring: null
+    configmap: null
     conf:
       global: null
       osd: null
@@ -464,122 +468,7 @@
     filter:audit:
       paste.filter_factory: keystonemiddleware.audit:filter_factory
       audit_map_file: /etc/cinder/api_audit_map.conf
-  policy:
-    context_is_admin: role:admin
-    admin_or_owner: is_admin:True or project_id:%(project_id)s
-    default: rule:admin_or_owner
-    admin_api: is_admin:True
-    volume:create: ''
-    volume:delete: rule:admin_or_owner
-    volume:get: rule:admin_or_owner
-    volume:get_all: rule:admin_or_owner
-    volume:get_volume_metadata: rule:admin_or_owner
-    volume:create_volume_metadata: rule:admin_or_owner
-    volume:delete_volume_metadata: rule:admin_or_owner
-    volume:update_volume_metadata: rule:admin_or_owner
-    volume:get_volume_admin_metadata: rule:admin_api
-    volume:update_volume_admin_metadata: rule:admin_api
-    volume:get_snapshot: rule:admin_or_owner
-    volume:get_all_snapshots: rule:admin_or_owner
-    volume:create_snapshot: rule:admin_or_owner
-    volume:delete_snapshot: rule:admin_or_owner
-    volume:update_snapshot: rule:admin_or_owner
-    volume:get_snapshot_metadata: rule:admin_or_owner
-    volume:delete_snapshot_metadata: rule:admin_or_owner
-    volume:update_snapshot_metadata: rule:admin_or_owner
-    volume:extend: rule:admin_or_owner
-    volume:update_readonly_flag: rule:admin_or_owner
-    volume:retype: rule:admin_or_owner
-    volume:update: rule:admin_or_owner
-    volume_extension:types_manage: rule:admin_api
-    volume_extension:types_extra_specs: rule:admin_api
-    volume_extension:access_types_qos_specs_id: rule:admin_api
-    volume_extension:access_types_extra_specs: rule:admin_api
-    volume_extension:volume_type_access: rule:admin_or_owner
-    volume_extension:volume_type_access:addProjectAccess: rule:admin_api
-    volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
-    volume_extension:volume_type_encryption: rule:admin_api
-    volume_extension:volume_encryption_metadata: rule:admin_or_owner
-    volume_extension:extended_snapshot_attributes: rule:admin_or_owner
-    volume_extension:volume_image_metadata: rule:admin_or_owner
-    volume_extension:quotas:show: ''
-    volume_extension:quotas:update: rule:admin_api
-    volume_extension:quotas:delete: rule:admin_api
-    volume_extension:quota_classes: rule:admin_api
-    volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
-    volume_extension:volume_admin_actions:reset_status: rule:admin_api
-    volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
-    volume_extension:backup_admin_actions:reset_status: rule:admin_api
-    volume_extension:volume_admin_actions:force_delete: rule:admin_api
-    volume_extension:volume_admin_actions:force_detach: rule:admin_api
-    volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
-    volume_extension:backup_admin_actions:force_delete: rule:admin_api
-    volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
-    volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
-    volume_extension:volume_actions:upload_public: rule:admin_api
-    volume_extension:volume_actions:upload_image: rule:admin_or_owner
-    volume_extension:volume_host_attribute: rule:admin_api
-    volume_extension:volume_tenant_attribute: rule:admin_or_owner
-    volume_extension:volume_mig_status_attribute: rule:admin_api
-    volume_extension:hosts: rule:admin_api
-    volume_extension:services:index: rule:admin_api
-    volume_extension:services:update: rule:admin_api
-    volume_extension:volume_manage: rule:admin_api
-    volume_extension:volume_unmanage: rule:admin_api
-    volume_extension:list_manageable: rule:admin_api
-    volume_extension:capabilities: rule:admin_api
-    volume:create_transfer: rule:admin_or_owner
-    volume:accept_transfer: ''
-    volume:delete_transfer: rule:admin_or_owner
-    volume:get_transfer: rule:admin_or_owner
-    volume:get_all_transfers: rule:admin_or_owner
-    volume_extension:replication:promote: rule:admin_api
-    volume_extension:replication:reenable: rule:admin_api
-    volume:failover_host: rule:admin_api
-    volume:freeze_host: rule:admin_api
-    volume:thaw_host: rule:admin_api
-    backup:create: ''
-    backup:delete: rule:admin_or_owner
-    backup:get: rule:admin_or_owner
-    backup:get_all: rule:admin_or_owner
-    backup:restore: rule:admin_or_owner
-    backup:backup-import: rule:admin_api
-    backup:backup-export: rule:admin_api
-    backup:update: rule:admin_or_owner
-    snapshot_extension:snapshot_actions:update_snapshot_status: ''
-    snapshot_extension:snapshot_manage: rule:admin_api
-    snapshot_extension:snapshot_unmanage: rule:admin_api
-    snapshot_extension:list_manageable: rule:admin_api
-    consistencygroup:create: group:nobody
-    consistencygroup:delete: group:nobody
-    consistencygroup:update: group:nobody
-    consistencygroup:get: group:nobody
-    consistencygroup:get_all: group:nobody
-    consistencygroup:create_cgsnapshot: group:nobody
-    consistencygroup:delete_cgsnapshot: group:nobody
-    consistencygroup:get_cgsnapshot: group:nobody
-    consistencygroup:get_all_cgsnapshots: group:nobody
-    group:group_types_manage: rule:admin_api
-    group:group_types_specs: rule:admin_api
-    group:access_group_types_specs: rule:admin_api
-    group:group_type_access: rule:admin_or_owner
-    group:create: ''
-    group:delete: rule:admin_or_owner
-    group:update: rule:admin_or_owner
-    group:get: rule:admin_or_owner
-    group:get_all: rule:admin_or_owner
-    group:create_group_snapshot: ''
-    group:delete_group_snapshot: rule:admin_or_owner
-    group:update_group_snapshot: rule:admin_or_owner
-    group:get_group_snapshot: rule:admin_or_owner
-    group:get_all_group_snapshots: rule:admin_or_owner
-    scheduler_extension:scheduler_stats:get_pools: rule:admin_api
-    message:delete: rule:admin_or_owner
-    message:get: rule:admin_or_owner
-    message:get_all: rule:admin_or_owner
-    clusters:get: rule:admin_api
-    clusters:get_all: rule:admin_api
-    clusters:update: rule:admin_api
+  policy: {}
   api_audit_map:
     DEFAULT:
       target_endpoint_type: None
@@ -1097,6 +986,7 @@
   external_ceph_rbd:
     enabled: false
     admin_keyring: null
+    configmap: null
     conf:
       global: null
       osd: null
@@ -1481,6 +1371,11 @@
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/charts/designate/Chart.yaml b/charts/designate/Chart.yaml
index 3aeec68..4fc1a35 100644
--- a/charts/designate/Chart.yaml
+++ b/charts/designate/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/designate
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.7
+version: 0.2.8
diff --git a/charts/designate/charts/helm-toolkit/Chart.yaml b/charts/designate/charts/helm-toolkit/Chart.yaml
index e79632a..12e2dd2 100644
--- a/charts/designate/charts/helm-toolkit/Chart.yaml
+++ b/charts/designate/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.49
+version: 0.2.50
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
index f05f7b7..4c476b2 100644
--- a/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/designate/requirements.lock b/charts/designate/requirements.lock
index b701966..b8cc2db 100644
--- a/charts/designate/requirements.lock
+++ b/charts/designate/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.49
-digest: sha256:17c2ccd48a8f79f15fc2fe5a59a1e0330cd6d0010ab5cc81a81575db31377a32
-generated: "2022-11-22T20:12:42.414567937Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:10.634309003Z"
diff --git a/charts/designate/values.yaml b/charts/designate/values.yaml
index 7abd43d..ea2c2aa 100644
--- a/charts/designate/values.yaml
+++ b/charts/designate/values.yaml
@@ -441,112 +441,7 @@
       paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory
     filter:validation_API_v2:
       paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory
-  policy:
-    admin: role:admin or is_admin:True
-    primary_zone: target.zone_type:SECONDARY
-    owner: tenant:%(tenant_id)s
-    admin_or_owner: rule:admin or rule:owner
-    target: tenant:%(target_tenant_id)s
-    owner_or_target: rule:target or rule:owner
-    admin_or_owner_or_target: rule:owner_or_target or rule:admin
-    admin_or_target: rule:admin or rule:target
-    zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)
-    default: rule:admin_or_owner
-    all_tenants: rule:admin
-    edit_managed_records: rule:admin
-    use_low_ttl: rule:admin
-    get_quotas: rule:admin_or_owner
-    get_quota: rule:admin_or_owner
-    set_quota: rule:admin
-    reset_quotas: rule:admin
-    create_tld: rule:admin
-    find_tlds: rule:admin
-    get_tld: rule:admin
-    update_tld: rule:admin
-    delete_tld: rule:admin
-    create_tsigkey: rule:admin
-    find_tsigkeys: rule:admin
-    get_tsigkey: rule:admin
-    update_tsigkey: rule:admin
-    delete_tsigkey: rule:admin
-    find_tenants: rule:admin
-    get_tenant: rule:admin
-    count_tenants: rule:admin
-    create_zone: rule:admin_or_owner
-    get_zones: rule:admin_or_owner
-    get_zone: rule:admin_or_owner
-    get_zone_servers: rule:admin_or_owner
-    find_zones: rule:admin_or_owner
-    find_zone: rule:admin_or_owner
-    update_zone: rule:admin_or_owner
-    delete_zone: rule:admin_or_owner
-    xfr_zone: rule:admin_or_owner
-    abandon_zone: rule:admin
-    count_zones: rule:admin_or_owner
-    count_zones_pending_notify: rule:admin_or_owner
-    purge_zones: rule:admin
-    touch_zone: rule:admin_or_owner
-    create_recordset: rule:zone_primary_or_admin
-    get_recordsets: rule:admin_or_owner
-    get_recordset: rule:admin_or_owner
-    find_recordsets: rule:admin_or_owner
-    find_recordset: rule:admin_or_owner
-    update_recordset: rule:zone_primary_or_admin
-    delete_recordset: rule:zone_primary_or_admin
-    count_recordset: rule:admin_or_owner
-    create_record: rule:admin_or_owner
-    get_records: rule:admin_or_owner
-    get_record: rule:admin_or_owner
-    find_records: rule:admin_or_owner
-    find_record: rule:admin_or_owner
-    update_record: rule:admin_or_owner
-    delete_record: rule:admin_or_owner
-    count_records: rule:admin_or_owner
-    use_sudo: rule:admin
-    create_blacklist: rule:admin
-    find_blacklist: rule:admin
-    find_blacklists: rule:admin
-    get_blacklist: rule:admin
-    update_blacklist: rule:admin
-    delete_blacklist: rule:admin
-    use_blacklisted_zone: rule:admin
-    create_pool: rule:admin
-    find_pools: rule:admin
-    find_pool: rule:admin
-    get_pool: rule:admin
-    update_pool: rule:admin
-    delete_pool: rule:admin
-    zone_create_forced_pool: rule:admin
-    diagnostics_ping: rule:admin
-    diagnostics_sync_zones: rule:admin
-    diagnostics_sync_zone: rule:admin
-    diagnostics_sync_record: rule:admin
-    create_zone_transfer_request: rule:admin_or_owner
-    get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
-    get_zone_transfer_request_detailed: rule:admin_or_owner
-    find_zone_transfer_requests: '@'
-    find_zone_transfer_request: '@'
-    update_zone_transfer_request: rule:admin_or_owner
-    delete_zone_transfer_request: rule:admin_or_owner
-    create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
-    get_zone_transfer_accept: rule:admin_or_owner
-    find_zone_transfer_accepts: rule:admin
-    find_zone_transfer_accept: rule:admin
-    update_zone_transfer_accept: rule:admin
-    delete_zone_transfer_accept: rule:admin
-    create_zone_import: rule:admin_or_owner
-    find_zone_imports: rule:admin_or_owner
-    get_zone_import: rule:admin_or_owner
-    update_zone_import: rule:admin_or_owner
-    delete_zone_import: rule:admin_or_owner
-    zone_export: rule:admin_or_owner
-    create_zone_export: rule:admin_or_owner
-    find_zone_exports: rule:admin_or_owner
-    get_zone_export: rule:admin_or_owner
-    update_zone_export: rule:admin_or_owner
-    find_service_status: rule:admin
-    find_service_statuses: rule:admin
-    update_service_service_status: rule:admin
+  policy: {}
   designate:
     DEFAULT:
       debug: false
diff --git a/charts/heat/Chart.yaml b/charts/heat/Chart.yaml
index 4d3af00..bb2b5af 100644
--- a/charts/heat/Chart.yaml
+++ b/charts/heat/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/heat
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.8
+version: 0.3.1
diff --git a/charts/heat/charts/helm-toolkit/Chart.yaml b/charts/heat/charts/helm-toolkit/Chart.yaml
index ffa1cdc..12e2dd2 100644
--- a/charts/heat/charts/helm-toolkit/Chart.yaml
+++ b/charts/heat/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.36
+version: 0.2.50
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index db12915..687851e 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -253,6 +295,16 @@
   return 1
 }
 
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
 # This function takes a list of archives' names as an input
 # and creates a hash table where keys are number of seconds
 # between current date and archive date (see seconds_difference),
@@ -271,21 +323,6 @@
 # possible case, when we have several backups of the same date. E.g.
 # one manual, and one automatic.
 
-function get_archive_date(){
-# get_archive_date function returns correct archive date
-# for different formats of archives' names
-# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
-# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
-local A_FILE="$1"
-local A_DATE=""
-if [[ -z ${BACK_UP_MODE} ]]; then
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
-else
-  A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
-fi
-echo ${A_DATE}
-}
-
 declare -A fileTable
 create_hash_table() {
 unset fileTable
@@ -329,33 +366,6 @@
 }
 
 remove_old_local_archives() {
-  if [[ -d $ARCHIVE_DIR ]]; then
-    count=0
-    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
-    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
-    # We iterate over the hash table, checking the delta in seconds (hash keys),
-    # and minimum number of backups we must have in place. List of keys has to be sorted.
-    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
-      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
-        ((count++))
-        log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
-      else
-        log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
-          rm -rf $ARCHIVE_FILE
-          if [[ $? -ne 0 ]]; then
-            # Log error but don't exit so we can finish the script
-            # because at this point we haven't sent backup to RGW yet
-            log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
-          fi
-      fi
-    done
-  else
-    log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
-  fi
-}
-
-remove_old_local_archives() {
   SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
   if [[ -d $ARCHIVE_DIR ]]; then
@@ -400,8 +410,8 @@
   count=0
   SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
   log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
-  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
     if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
       ((count++))
       log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
@@ -414,10 +424,12 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-  if [[ -f fd ]]; then
-    rm -f fd
-  else
-    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
 }
 
 # Main function to backup the databases. Calling functions need to supply:
@@ -474,10 +486,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -489,6 +497,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -517,8 +544,12 @@
     #Only delete the old archive after a successful archive
     if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
       prepare_list_of_remote_backups
-      create_hash_table $(cat $DB_BACKUP_FILES)
-      remove_old_remote_archives
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
     fi
 
     echo "=================================================================="
@@ -537,4 +568,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
index c2de3aa..093dd2c 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -269,7 +269,7 @@
       echo "=============================================="
       for archive in $archives
       do
-        echo $archive | cut -d '/' -f 8
+        echo $archive | cut -d '/' -f8-
       done
       clean_and_exit 0 ""
     else
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/heat/requirements.lock b/charts/heat/requirements.lock
index 1a130f6..84999b0 100644
--- a/charts/heat/requirements.lock
+++ b/charts/heat/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.36
-digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
-generated: "2022-03-24T05:04:10.242253189Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:19.559147167Z"
diff --git a/charts/heat/templates/configmap-etc.yaml b/charts/heat/templates/configmap-etc.yaml
index d5716e1..b49edcd 100644
--- a/charts/heat/templates/configmap-etc.yaml
+++ b/charts/heat/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
@@ -106,21 +112,21 @@
 {{- end -}}
 
 {{- if empty .Values.conf.heat.heat_api.bind_port -}}
-{{- $_ := tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
+{{- $_ := tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
 {{- end -}}
 
 {{- if empty .Values.conf.heat.heat_api_cloudwatch.bind_port -}}
-{{- $_ := tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
+{{- $_ := tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
 {{- end -}}
 
 {{- if empty .Values.conf.heat.heat_api_cfn.bind_port -}}
-{{- $_ := tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
+{{- $_ := tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
 {{- end -}}
 
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}
diff --git a/charts/heat/templates/cron-job-engine-cleaner.yaml b/charts/heat/templates/cron-job-engine-cleaner.yaml
index 1e7e6f3..a7eded4 100644
--- a/charts/heat/templates/cron-job-engine-cleaner.yaml
+++ b/charts/heat/templates/cron-job-engine-cleaner.yaml
@@ -21,7 +21,7 @@
 {{- $serviceAccountName := "heat-engine-cleaner" }}
 {{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: heat-engine-cleaner
@@ -55,6 +55,9 @@
           serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "engine_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
           restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
           initContainers:
@@ -64,6 +67,11 @@
 {{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
 {{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+              env:
+                - name: REQUESTS_CA_BUNDLE
+                  value: "/etc/heat/certs/ca.crt"
+{{- end }}
               command:
                 - /tmp/heat-engine-cleaner.sh
               volumeMounts:
@@ -85,6 +93,7 @@
                 subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
                 readOnly: true
               {{ end }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
 {{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
           volumes:
@@ -96,6 +105,7 @@
               secret:
                 secretName: heat-etc
                 defaultMode: 0444
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
             - name: heat-bin
               configMap:
diff --git a/charts/heat/templates/cron-job-purge-deleted.yaml b/charts/heat/templates/cron-job-purge-deleted.yaml
index dd275d7..4d83c29 100644
--- a/charts/heat/templates/cron-job-purge-deleted.yaml
+++ b/charts/heat/templates/cron-job-purge-deleted.yaml
@@ -21,7 +21,7 @@
 {{- $serviceAccountName := "heat-purge-deleted" }}
 {{ tuple $envAll "purge_deleted" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: heat-purge-deleted
@@ -49,6 +49,9 @@
         spec:
           serviceAccountName: {{ $serviceAccountName }}
           restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
           nodeSelector:
             {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
           initContainers:
@@ -57,6 +60,11 @@
             - name: heat-purge-deleted
 {{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+              env:
+                - name: REQUESTS_CA_BUNDLE
+                  value: "/etc/heat/certs/ca.crt"
+{{- end }}
               command:
                 - /tmp/heat-purge-deleted-active.sh
                 - {{ quote .Values.jobs.purge_deleted.purge_age }}
@@ -79,6 +87,7 @@
                 subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
                 readOnly: true
               {{ end }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
 {{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
           volumes:
@@ -90,6 +99,7 @@
               secret:
                 secretName: heat-etc
                 defaultMode: 0444
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
             - name: heat-bin
               configMap:
diff --git a/charts/heat/templates/deployment-api.yaml b/charts/heat/templates/deployment-api.yaml
index a17ddae..0bed310 100644
--- a/charts/heat/templates/deployment-api.yaml
+++ b/charts/heat/templates/deployment-api.yaml
@@ -49,6 +49,9 @@
 {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       affinity:
 {{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
@@ -59,6 +62,11 @@
 {{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/heat/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/heat-api.sh
             - start
@@ -70,13 +78,17 @@
                   - stop
           ports:
             - name: h-api
-              containerPort: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
-              port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
-            tcpSocket:
-              port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 30
           volumeMounts:
             - name: pod-tmp
@@ -121,7 +133,7 @@
               subPath: mpm_event.conf
               readOnly: true
             {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -139,7 +151,7 @@
           secret:
             secretName: heat-etc
             defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/heat/templates/deployment-cfn.yaml b/charts/heat/templates/deployment-cfn.yaml
index 9fab9e6..94ddd06 100644
--- a/charts/heat/templates/deployment-cfn.yaml
+++ b/charts/heat/templates/deployment-cfn.yaml
@@ -49,6 +49,9 @@
 {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       affinity:
 {{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.cfn.node_selector_key }}: {{ .Values.labels.cfn.node_selector_value }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cfn.timeout | default "30" }}
@@ -59,6 +62,11 @@
 {{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/heat/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/heat-cfn.sh
             - start
@@ -70,13 +78,17 @@
                   - stop
           ports:
             - name: h-cfn
-              containerPort: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
-              port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
-            tcpSocket:
-              port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 30
           volumeMounts:
             - name: pod-tmp
@@ -121,7 +133,7 @@
               subPath: mpm_event.conf
               readOnly: true
             {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -138,6 +150,6 @@
           secret:
             secretName: heat-etc
             defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/heat/templates/deployment-cloudwatch.yaml b/charts/heat/templates/deployment-cloudwatch.yaml
index 092feac..f1f7353 100644
--- a/charts/heat/templates/deployment-cloudwatch.yaml
+++ b/charts/heat/templates/deployment-cloudwatch.yaml
@@ -48,6 +48,9 @@
 {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       affinity:
 {{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       nodeSelector:
         {{ .Values.labels.cloudwatch.node_selector_key }}: {{ .Values.labels.cloudwatch.node_selector_value }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cloudwatch.timeout | default "30" }}
@@ -69,10 +72,12 @@
                   - stop
           ports:
             - name: h-cwh
-              containerPort: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            tcpSocket:
-              port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
diff --git a/charts/heat/templates/deployment-engine.yaml b/charts/heat/templates/deployment-engine.yaml
index 4ae0197..7b7b8ad 100644
--- a/charts/heat/templates/deployment-engine.yaml
+++ b/charts/heat/templates/deployment-engine.yaml
@@ -59,6 +59,9 @@
 {{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.engine.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "engine" $mounts_heat_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
@@ -67,6 +70,11 @@
 {{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/heat/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/heat-engine.sh
             - start
@@ -100,7 +108,7 @@
               subPath: policy.yaml
               readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -116,8 +124,8 @@
           secret:
             secretName: heat-etc
             defaultMode: 0444
- {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/heat/templates/job-bootstrap.yaml b/charts/heat/templates/job-bootstrap.yaml
index 5dfe56f..e5157da 100644
--- a/charts/heat/templates/job-bootstrap.yaml
+++ b/charts/heat/templates/job-bootstrap.yaml
@@ -14,16 +14,18 @@
 
 {{- define "metadata.annotations.job.bootstrap" }}
 helm.sh/hook: post-install,post-upgrade
-helm.sh/hook-weight: "5"
 {{- end }}
 
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
 {{- end }}
diff --git a/charts/heat/templates/job-db-drop.yaml b/charts/heat/templates/job-db-drop.yaml
index d74fa7b..7caa961 100644
--- a/charts/heat/templates/job-db-drop.yaml
+++ b/charts/heat/templates/job-db-drop.yaml
@@ -17,5 +17,8 @@
 {{- if .Values.manifests.certificates -}}
 {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
 {{- end -}}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
diff --git a/charts/heat/templates/job-db-init.yaml b/charts/heat/templates/job-db-init.yaml
index b3b44fe..442a2fa 100644
--- a/charts/heat/templates/job-db-init.yaml
+++ b/charts/heat/templates/job-db-init.yaml
@@ -25,5 +25,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
diff --git a/charts/heat/templates/job-db-sync.yaml b/charts/heat/templates/job-db-sync.yaml
index 5670792..a25faf8 100644
--- a/charts/heat/templates/job-db-sync.yaml
+++ b/charts/heat/templates/job-db-sync.yaml
@@ -25,5 +25,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
diff --git a/charts/heat/templates/job-image-repo-sync.yaml b/charts/heat/templates/job-image-repo-sync.yaml
index a9da325..83a84bb 100644
--- a/charts/heat/templates/job-image-repo-sync.yaml
+++ b/charts/heat/templates/job-image-repo-sync.yaml
@@ -21,5 +21,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
 {{- end }}
diff --git a/charts/heat/templates/job-ks-endpoints.yaml b/charts/heat/templates/job-ks-endpoints.yaml
index 9388806..21b0bd1 100644
--- a/charts/heat/templates/job-ks-endpoints.yaml
+++ b/charts/heat/templates/job-ks-endpoints.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
diff --git a/charts/heat/templates/job-ks-service.yaml b/charts/heat/templates/job-ks-service.yaml
index 5947c0e..930707a 100644
--- a/charts/heat/templates/job-ks-service.yaml
+++ b/charts/heat/templates/job-ks-service.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
 {{- end }}
diff --git a/charts/heat/templates/job-ks-user-domain.yaml b/charts/heat/templates/job-ks-user-domain.yaml
index a709608..6e76df8 100644
--- a/charts/heat/templates/job-ks-user-domain.yaml
+++ b/charts/heat/templates/job-ks-user-domain.yaml
@@ -46,6 +46,9 @@
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
@@ -61,9 +64,9 @@
               mountPath: /tmp/ks-domain-user.sh
               subPath: ks-domain-user.sh
               readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_SERVICE_NAME
@@ -97,5 +100,5 @@
           configMap:
             name: heat-bin
             defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/charts/heat/templates/job-ks-user-trustee.yaml b/charts/heat/templates/job-ks-user-trustee.yaml
index 21f1b57..665be81 100644
--- a/charts/heat/templates/job-ks-user-trustee.yaml
+++ b/charts/heat/templates/job-ks-user-trustee.yaml
@@ -18,11 +18,14 @@
 
 {{- if .Values.manifests.job_ks_user_trustee }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/charts/heat/templates/job-ks-user.yaml b/charts/heat/templates/job-ks-user.yaml
index bf23eeb..c5be1fe 100644
--- a/charts/heat/templates/job-ks-user.yaml
+++ b/charts/heat/templates/job-ks-user.yaml
@@ -19,11 +19,14 @@
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/charts/heat/templates/job-rabbit-init.yaml b/charts/heat/templates/job-rabbit-init.yaml
index 8da178b..bd6b228 100644
--- a/charts/heat/templates/job-rabbit-init.yaml
+++ b/charts/heat/templates/job-rabbit-init.yaml
@@ -25,5 +25,8 @@
 {{- if .Values.helm3_hook }}
 {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
 {{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
 {{- end }}
diff --git a/charts/heat/templates/job-trusts.yaml b/charts/heat/templates/job-trusts.yaml
index afa6bde..ae5bc64 100644
--- a/charts/heat/templates/job-trusts.yaml
+++ b/charts/heat/templates/job-trusts.yaml
@@ -48,6 +48,9 @@
       restartPolicy: OnFailure
       nodeSelector:
         {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       initContainers:
 {{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
@@ -65,10 +68,10 @@
               mountPath: /tmp/trusts.sh
               subPath: trusts.sh
               readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
 {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_ROLES
@@ -84,5 +87,5 @@
           configMap:
             name: heat-bin
             defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
diff --git a/charts/heat/templates/pdb-api.yaml b/charts/heat/templates/pdb-api.yaml
index 284e079..847873c 100644
--- a/charts/heat/templates/pdb-api.yaml
+++ b/charts/heat/templates/pdb-api.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_api }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: heat-api
diff --git a/charts/heat/templates/pdb-cfn.yaml b/charts/heat/templates/pdb-cfn.yaml
index 52a72fb..e78c4f2 100644
--- a/charts/heat/templates/pdb-cfn.yaml
+++ b/charts/heat/templates/pdb-cfn.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_cfn }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: heat-cfn
diff --git a/charts/heat/templates/pdb-cloudwatch.yaml b/charts/heat/templates/pdb-cloudwatch.yaml
index a0b057b..5687967 100644
--- a/charts/heat/templates/pdb-cloudwatch.yaml
+++ b/charts/heat/templates/pdb-cloudwatch.yaml
@@ -15,7 +15,7 @@
 {{- if .Values.manifests.pdb_cloudwatch }}
 {{- $envAll := . }}
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: heat-cloudwatch
diff --git a/charts/heat/templates/pod-rally-test.yaml b/charts/heat/templates/pod-rally-test.yaml
index 9aa6373..ac6c636 100644
--- a/charts/heat/templates/pod-rally-test.yaml
+++ b/charts/heat/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.deployment_name "-test" }}
   labels:
 {{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -33,11 +39,14 @@
 spec:
   nodeSelector:
     {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
   restartPolicy: Never
   serviceAccountName: {{ $serviceAccountName }}
   initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: {{ .deployment_name }}-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
       command:
@@ -62,7 +71,7 @@
         - name: SERVICE_OS_ROLE
           value: {{ .Values.endpoints.identity.auth.test.role | quote }}
   containers:
-    - name: {{ .Release.Name }}-test
+    - name: {{ .deployment_name }}-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
       env:
@@ -73,7 +82,7 @@
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.deployment_name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:
diff --git a/charts/heat/templates/secret-registry.yaml b/charts/heat/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/heat/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/heat/templates/service-api.yaml b/charts/heat/templates/service-api.yaml
index fd0aadf..39de598 100644
--- a/charts/heat/templates/service-api.yaml
+++ b/charts/heat/templates/service-api.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
     - name: h-api
-      port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.api.node_port.enabled }}
       nodePort: {{ .Values.network.api.node_port.port }}
     {{ end }}
diff --git a/charts/heat/templates/service-cfn.yaml b/charts/heat/templates/service-cfn.yaml
index 568c1db..4114962 100644
--- a/charts/heat/templates/service-cfn.yaml
+++ b/charts/heat/templates/service-cfn.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
     - name: h-cfn
-      port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.cfn.node_port.enabled }}
       nodePort: {{ .Values.network.cfn.node_port.port }}
     {{ end }}
diff --git a/charts/heat/templates/service-cloudwatch.yaml b/charts/heat/templates/service-cloudwatch.yaml
index 4978371..0afec9d 100644
--- a/charts/heat/templates/service-cloudwatch.yaml
+++ b/charts/heat/templates/service-cloudwatch.yaml
@@ -22,7 +22,7 @@
 spec:
   ports:
     - name: h-cwh
-      port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      port: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.cloudwatch.node_port.enabled }}
       nodePort: {{ .Values.network.cloudwatch.node_port.port }}
     {{ end }}
diff --git a/charts/heat/values.yaml b/charts/heat/values.yaml
index 58f786b..555af53 100644
--- a/charts/heat/values.yaml
+++ b/charts/heat/values.yaml
@@ -340,95 +340,7 @@
       paste.filter_factory: oslo_middleware.request_id:RequestId.factory
     filter:osprofiler:
       paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
-  policy:
-    context_is_admin: role:admin and is_admin_project:True
-    project_admin: role:admin
-    deny_stack_user: not role:heat_stack_user
-    deny_everybody: "!"
-    cloudformation:ListStacks: rule:deny_stack_user
-    cloudformation:CreateStack: rule:deny_stack_user
-    cloudformation:DescribeStacks: rule:deny_stack_user
-    cloudformation:DeleteStack: rule:deny_stack_user
-    cloudformation:UpdateStack: rule:deny_stack_user
-    cloudformation:CancelUpdateStack: rule:deny_stack_user
-    cloudformation:DescribeStackEvents: rule:deny_stack_user
-    cloudformation:ValidateTemplate: rule:deny_stack_user
-    cloudformation:GetTemplate: rule:deny_stack_user
-    cloudformation:EstimateTemplateCost: rule:deny_stack_user
-    cloudformation:DescribeStackResource: ''
-    cloudformation:DescribeStackResources: rule:deny_stack_user
-    cloudformation:ListStackResources: rule:deny_stack_user
-    cloudwatch:DeleteAlarms: rule:deny_stack_user
-    cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
-    cloudwatch:DescribeAlarms: rule:deny_stack_user
-    cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
-    cloudwatch:DisableAlarmActions: rule:deny_stack_user
-    cloudwatch:EnableAlarmActions: rule:deny_stack_user
-    cloudwatch:GetMetricStatistics: rule:deny_stack_user
-    cloudwatch:ListMetrics: rule:deny_stack_user
-    cloudwatch:PutMetricAlarm: rule:deny_stack_user
-    cloudwatch:PutMetricData: ''
-    cloudwatch:SetAlarmState: rule:deny_stack_user
-    actions:action: rule:deny_stack_user
-    build_info:build_info: rule:deny_stack_user
-    events:index: rule:deny_stack_user
-    events:show: rule:deny_stack_user
-    resource:index: rule:deny_stack_user
-    resource:metadata: ''
-    resource:signal: ''
-    resource:mark_unhealthy: rule:deny_stack_user
-    resource:show: rule:deny_stack_user
-    stacks:abandon: rule:deny_stack_user
-    stacks:create: rule:deny_stack_user
-    stacks:delete: rule:deny_stack_user
-    stacks:detail: rule:deny_stack_user
-    stacks:export: rule:deny_stack_user
-    stacks:generate_template: rule:deny_stack_user
-    stacks:global_index: rule:deny_everybody
-    stacks:index: rule:deny_stack_user
-    stacks:list_resource_types: rule:deny_stack_user
-    stacks:list_template_versions: rule:deny_stack_user
-    stacks:list_template_functions: rule:deny_stack_user
-    stacks:lookup: ''
-    stacks:preview: rule:deny_stack_user
-    stacks:resource_schema: rule:deny_stack_user
-    stacks:show: rule:deny_stack_user
-    stacks:template: rule:deny_stack_user
-    stacks:environment: rule:deny_stack_user
-    stacks:files: rule:deny_stack_user
-    stacks:update: rule:deny_stack_user
-    stacks:update_patch: rule:deny_stack_user
-    stacks:preview_update: rule:deny_stack_user
-    stacks:preview_update_patch: rule:deny_stack_user
-    stacks:validate_template: rule:deny_stack_user
-    stacks:snapshot: rule:deny_stack_user
-    stacks:show_snapshot: rule:deny_stack_user
-    stacks:delete_snapshot: rule:deny_stack_user
-    stacks:list_snapshots: rule:deny_stack_user
-    stacks:restore_snapshot: rule:deny_stack_user
-    stacks:list_outputs: rule:deny_stack_user
-    stacks:show_output: rule:deny_stack_user
-    software_configs:global_index: rule:deny_everybody
-    software_configs:index: rule:deny_stack_user
-    software_configs:create: rule:deny_stack_user
-    software_configs:show: rule:deny_stack_user
-    software_configs:delete: rule:deny_stack_user
-    software_deployments:index: rule:deny_stack_user
-    software_deployments:create: rule:deny_stack_user
-    software_deployments:show: rule:deny_stack_user
-    software_deployments:update: rule:deny_stack_user
-    software_deployments:delete: rule:deny_stack_user
-    software_deployments:metadata: ''
-    service:index: rule:context_is_admin
-    resource_types:OS::Nova::Flavor: rule:project_admin
-    resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
-    resource_types:OS::Cinder::VolumeType: rule:project_admin
-    resource_types:OS::Cinder::Quota: rule:project_admin
-    resource_types:OS::Manila::ShareType: rule:project_admin
-    resource_types:OS::Neutron::QoSPolicy: rule:project_admin
-    resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
-    resource_types:OS::Nova::HostAggregate: rule:project_admin
-    resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+  policy: {}
   heat:
     DEFAULT:
       log_config_append: /etc/heat/logging.conf
@@ -804,6 +716,9 @@
       cfn:
         public: cloudformation-tls-public
         internal: heat-tls-cfn
+  oci_image_registry:
+    heat: heat-oci-image-registry
+
 # typically overridden by environmental
 # values, but should include all endpoints
 # required by this chart
@@ -821,6 +736,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      heat:
+        username: heat
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -892,10 +822,12 @@
       default: '/v1/%(project_id)s'
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8004
         public: 80
+        service: 8004
   cloudformation:
     name: heat-cfn
     hosts:
@@ -914,10 +846,12 @@
       default: /v1
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8000
         public: 80
+        service: 8000
   # Cloudwatch does not get an entry in the keystone service catalog
   cloudwatch:
     name: heat-cloudwatch
@@ -931,10 +865,12 @@
     type: null
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8003
         public: 80
+        service: 8003
   oslo_db:
     auth:
       admin:
@@ -1082,6 +1018,13 @@
         default: kubernetes.io/hostname
       weight:
         default: 10
+  tolerations:
+    heat:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
   mounts:
     heat_api:
       init_container: null
@@ -1295,6 +1238,11 @@
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
@@ -1328,6 +1276,7 @@
   secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
+  secret_registry: true
   service_api: true
   service_cfn: true
   service_cloudwatch: false
diff --git a/charts/horizon/Chart.yaml b/charts/horizon/Chart.yaml
index 40de3cb..dc5ce03 100644
--- a/charts/horizon/Chart.yaml
+++ b/charts/horizon/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/horizon
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.24
+version: 0.3.1
diff --git a/charts/horizon/charts/helm-toolkit/Chart.yaml b/charts/horizon/charts/helm-toolkit/Chart.yaml
index d90280e..12e2dd2 100644
--- a/charts/horizon/charts/helm-toolkit/Chart.yaml
+++ b/charts/horizon/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.44
+version: 0.2.50
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 7846895..4c476b2 100644
--- a/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
 {{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
 {{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..687851e 100644
--- a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +424,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +486,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +497,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +547,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +568,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/horizon/requirements.lock b/charts/horizon/requirements.lock
index 7dabb14..ecbd75a 100644
--- a/charts/horizon/requirements.lock
+++ b/charts/horizon/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.44
-digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
-generated: "2022-08-10T23:42:39.798166264Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:18.196867382Z"
diff --git a/charts/horizon/templates/deployment.yaml b/charts/horizon/templates/deployment.yaml
index e3978c5..a23b56d 100644
--- a/charts/horizon/templates/deployment.yaml
+++ b/charts/horizon/templates/deployment.yaml
@@ -70,6 +70,10 @@
             valueFrom:
               fieldRef:
                 fieldPath: status.podIP
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          - name: REQUESTS_CA_BUNDLE
+            value: "/etc/openstack-dashboard/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -157,7 +161,7 @@
               mountPath: /tmp/favicon.ico
               subPath: favicon.ico
             {{- end }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -181,6 +185,6 @@
             name: horizon-logo
         {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/horizon/templates/secret-registry.yaml b/charts/horizon/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/horizon/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/horizon/values.yaml b/charts/horizon/values.yaml
index 4ea901b..3abf9a1 100644
--- a/charts/horizon/values.yaml
+++ b/charts/horizon/values.yaml
@@ -246,7 +246,7 @@
         # Pass any settings to the end of local_settings.py
         raw: {}
         openstack_api_versions:
-          container_infra: "1.19"
+          container_infra: "1.10"
       template: |
         import os
 
@@ -1233,6 +1233,11 @@
       dashboard:
         public: horizon-tls-public
         internal: horizon-tls-web
+  oci_image_registry:
+    horizon: horizon-oci-image-registry
+
+tls:
+  identity: false
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1251,6 +1256,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      horizon:
+        username: horizon
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -1376,6 +1396,7 @@
   secret_db: true
   secret_ingress_tls: true
   secret_keystone: true
+  secret_registry: true
   service_ingress: true
   service: true
 ...
diff --git a/charts/placement/Chart.yaml b/charts/placement/Chart.yaml
index 23f8ccf..188ccfb 100644
--- a/charts/placement/Chart.yaml
+++ b/charts/placement/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/placement
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.10
+version: 0.3.2
diff --git a/charts/placement/charts/helm-toolkit/Chart.yaml b/charts/placement/charts/helm-toolkit/Chart.yaml
index 4f9e6e5..12e2dd2 100644
--- a/charts/placement/charts/helm-toolkit/Chart.yaml
+++ b/charts/placement/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.46
+version: 0.2.50
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 70e64cc..4c476b2 100644
--- a/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
 {{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
 {{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..687851e 100644
--- a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +424,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +486,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +497,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +547,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +568,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/requirements.lock b/charts/placement/requirements.lock
index dd3e146..8c8838b 100644
--- a/charts/placement/requirements.lock
+++ b/charts/placement/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.46
-digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
-generated: "2022-08-16T23:07:28.301383965Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:17.712734121Z"
diff --git a/charts/placement/templates/bin/_db-migrate.sh.tpl b/charts/placement/templates/bin/_db-migrate.sh.tpl
deleted file mode 100644
index 838e05f..0000000
--- a/charts/placement/templates/bin/_db-migrate.sh.tpl
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-# To make this migration idempotent and not break the chart deployment,
-# we will treat a new deployment ($?==4) and migration completed ($?==3)
-# as success so things can proceed.
-function handler {
-  rv=$?
-  if [ $rv -eq 4 ] || [ $rv -eq 3 ]; then
-    exit 0
-  else
-    exit $rv
-  fi
-}
-
-trap handler EXIT
-
-/tmp/mysql-migrate-db.sh --mkconfig /tmp/migrate-db.rc
-
-sed -i \
-  -e "s/NOVA_API_USER=.*/NOVA_API_USER=\"${NOVA_API_USER}\"/g" \
-  -e "s/NOVA_API_PASS=.*/NOVA_API_PASS=\"${NOVA_API_PASS}\"/g" \
-  -e "s/NOVA_API_DB_HOST=.*/NOVA_API_DB_HOST=\"${NOVA_API_DB_HOST}\"/g" \
-  -e "s/PLACEMENT_USER=.*/PLACEMENT_USER=\"${PLACEMENT_USER}\"/g" \
-  -e "s/PLACEMENT_PASS=.*/PLACEMENT_PASS=\"${PLACEMENT_PASS}\"/g" \
-  -e "s/PLACEMENT_DB_HOST=.*/PLACEMENT_DB_HOST=\"${PLACEMENT_DB_HOST}\"/g" \
-  /tmp/migrate-db.rc
-
-/tmp/mysql-migrate-db.sh --migrate /tmp/migrate-db.rc
diff --git a/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl b/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
deleted file mode 100644
index a87ebaf..0000000
--- a/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
+++ /dev/null
@@ -1,328 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-# This script will attempt to migrate your nova-api placement data to
-# a new placement database. Run it with --help for usage, and --mkconfig
-# to write a template config file to use.
-
-# Defaults we can guess
-DEFAULT_MIGRATE_TABLES="allocations placement_aggregates consumers inventories projects "
-DEFAULT_MIGRATE_TABLES+="resource_classes resource_provider_aggregates resource_provider_traits "
-DEFAULT_MIGRATE_TABLES+="resource_providers traits users "
-MIGRATE_TABLES=${MIGRATE_TABLES:-$DEFAULT_MIGRATE_TABLES}
-PLACEMENT_DB_HOST=${PLACEMENT_DB_HOST:-localhost}
-PLACEMENT_DB=${PLACEMENT_DB:-placement}
-NOVA_API_DB_HOST=${NOVA_API_DB_HOST:-localhost}
-NOVA_API_DB=${NOVA_API_DB:-nova_api}
-TMPDIR=${TMPDIR:-/tmp}
-LAST_MYSQL_ERR=${TMPDIR}/migrate-mysql-db.err
-INITIAL_PLACEMENT_DB_VERSION=${INITIAL_DB_VERSION:-b4ed3a175331}
-ME=$(basename "$0")
-
-declare -a ARGS
-declare -a OPTS
-
-function getflag() {
-    # Return true if --$flag is present on the command line
-    # Usage: getflag help -> 0
-    local flag="$1"
-    for opt in ${OPTS[*]}; do
-        if [ "$opt" == "--${flag}" ]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-function parse_argv() {
-    # Parse command line arguments into positional arguments and
-    # option flags. Store each in $ARGS, $OPTS.
-    # Usage: parse_argv $*
-    for item in $*; do
-        if echo $item | grep -q -- '^--'; then
-            OPTS+=($item)
-        else
-            ARGS+=($item)
-        fi
-    done
-}
-
-function db_var() {
-    # Return an attribute of database config based on the symbolic
-    # name
-    # Usage: db_var PLACEMENT USER -> $PLACEMENT_USER
-    local db="$1"
-    local var="$2"
-
-    eval echo "\$${db}_${var}"
-}
-
-function mysql_command() {
-    # Run a mysql command with the usual connection information taken
-    # from a symbolic configuration name
-    # Usage: mysql_command PLACEMENT [command] [args..] -> stdout
-    local whichdb="$1"
-    shift
-    local command=mysql
-    if [ "$2" ]; then
-        command=${1:-mysql}
-        shift
-    fi
-    local db=$(db_var $whichdb DB)
-    local host=$(db_var $whichdb DB_HOST)
-    local user=$(db_var $whichdb USER)
-    local pass=$(db_var $whichdb PASS)
-
-    if [ "$command" = "mysql" ]; then
-        command="mysql --skip-column-names"
-    fi
-
-    if [ ! -z "$MARIADB_X509" ]; then
-        local ca=/etc/mysql/certs/ca.crt
-        local cert=/etc/mysql/certs/tls.crt
-        local key=/etc/mysql/certs/tls.key
-        $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR
-    else
-        $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
-    fi
-}
-
-function show_error() {
-    # Prints the last error (if present) and removes the temporary
-    # file
-    if [ -f $LAST_MYSQL_ERR ]; then
-        cat $LAST_MYSQL_ERR
-        rm -f $LAST_MYSQL_ERR
-    fi
-}
-
-function check_db() {
-    # Check a DB to see if it's missing, present, filled with data
-    # Returns 0 if it is present with data, 1 if present but no data
-    # or 2 if not present (or unable to connect)
-    # Usage: check_db PLACEMENT -> 0
-    local whichdb="$1"
-
-    local inv
-    local inv_count
-
-    if ! echo "SELECT DATABASE()" | mysql_command $whichdb >/dev/null 2>&1; then
-        echo "Failed to connect to $whichdb database"
-        show_error
-        return 2
-    fi
-
-    inv=$(echo "SELECT COUNT(id) FROM inventories" |
-              mysql_command $whichdb)
-    if [ $? -ne 0 ]; then
-        # No schema
-        return 1
-    fi
-
-    inv_count=$(echo $inv | tail -n1)
-    if [ $inv_count -gt 0 ]; then
-        # Data found
-        return 0
-    else
-        # No data found, but schema intact
-        return 1
-    fi
-}
-
-function check_cli() {
-    # Returns 0 if placement cli is installed and configured,
-    # 1 if it is not installed, or 2 if the access to the
-    # placement database fails
-    # Usage: check_cli -> 0
-    placement-manage --version > /dev/null 2>&1
-
-    if [ $? -ne 0 ]; then
-        # placement not installed
-        return 1
-    fi
-
-    placement-manage db version > /dev/null 2>&1
-
-    if [ $? -ne 0 ]; then
-        # DB connection fails
-        return 2
-    fi
-}
-
-function migrate_data() {
-    # Actually migrate data from a source to destination symbolic
-    # database. Returns 1 if failure, 0 otherwise.
-    # Usage: migrate_data NOVA_API PLACEMENT -> 0
-    local source="$1"
-    local dest="$2"
-    local dump_flags="$3"
-    local tmpdir=$(mktemp -d migrate-db.XXXXXXXX)
-    local tmpfile="${tmpdir}/from-nova.sql"
-
-    echo "Dumping from $source to $tmpfile"
-    mysql_command $source mysqldump $dump_flags $MIGRATE_TABLES > $tmpfile || {
-        echo 'Failed to dump source database:'
-        show_error
-        return 1
-    }
-    echo "Loading to $dest from $tmpfile"
-    mysql_command $dest < $tmpfile || {
-        echo 'Failed to load destination database:'
-        show_error
-        return 1
-    }
-}
-
-function sanity_check_env() {
-    # Check that we have everything we need to examine the situation
-    # and potentially do the migration. Loads values from the rcfile,
-    # if present. Returns 1 if a config was not found, 2 if that
-    # config is incomplete or 0 if everything is good.
-    # Usage: sanity_check_env $rcfile -> 0
-
-    RCFILE="${1:-migrate-db.rc}"
-    if [ "$RCFILE" = '-' ]; then
-        # Don't require a file and assume everything is already
-        # set in the environment
-        true
-    elif [ ! -f "$RCFILE" ]; then
-        echo -n 'ERROR: Specify an RC file on the command line or create '
-        echo 'migrate-db.rc in the current directory'
-        echo
-        show_help
-    else
-        source $RCFILE
-    fi
-
-    required="NOVA_API_DB NOVA_API_USER NOVA_API_PASS PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS"
-    for var in $required; do
-        value=$(eval echo "\$$var")
-        if [ -z "$value" ]; then
-            echo "A value for $var was not provided but is required"
-            return 2
-        fi
-    done
-}
-
-function make_config() {
-    # Create or update a config file with defaults we know. Either use
-    # the default migrate-db.rc or the file specified on the command
-    # line.
-    RCFILE="${1:-migrate-db.rc}"
-    if [ -f "$RCFILE" ]; then
-        source $RCFILE
-    fi
-
-    vars="NOVA_API_DB NOVA_API_USER NOVA_API_PASS NOVA_API_DB_HOST "
-    vars+="PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS PLACEMENT_DB_HOST "
-    vars+="MIGRATE_TABLES"
-
-    (for var in $vars; do
-         val=$(eval echo "\$$var")
-         echo "${var}=\"$val\""
-     done) > $RCFILE
-
-    echo Wrote $(readlink -f $RCFILE)
-}
-
-function show_help() {
-    echo "Usage: $ME [flags] [rcfile]"
-    echo
-    echo "Flags:"
-    echo "    --help: this text"
-    echo "    --migrate: actually do data migration"
-    echo "    --mkconfig: write/update config to \$rcfile"
-    echo "    --skip-locks: don't use table locks for data migration"
-    echo
-    echo "Pass '-' as \$rcfile if all config values are set in"
-    echo "the environment."
-    echo
-    echo "Exit codes:"
-    echo "    0: Success"
-    echo "    1: Usage error"
-    echo "    2: Configuration missing or incomplete"
-    echo "    3: Migration already completed"
-    echo "    4: No data to migrate from nova (new deployment)"
-    echo "    5: Unable to connect to one or both databases"
-    echo "    6: Unable to execute placement's CLI commands"
-    exit 0
-}
-
-parse_argv $*
-
-if getflag help; then
-    show_help
-fi
-
-if getflag mkconfig; then
-    make_config $ARGS
-    exit 0
-fi
-
-#
-# Actual migration logic starts here
-#
-
-# Sanity check that we have what we need or bail
-sanity_check_env $ARGS || exit $?
-
-# Check the state of each database we care about
-check_db NOVA_API
-nova_present=$?
-check_db PLACEMENT
-placement_present=$?
-check_cli
-placement_cli=$?
-
-# Try to come up with a good reason to refuse to migrate
-if [ $nova_present -eq 0 -a $placement_present -eq 0 ]; then
-    echo "Migration has already completed. The placement database appears to have data."
-    exit 3
-elif [ $nova_present -eq 1 ]; then
-    echo "No data present in nova database - nothing to migrate (new deployment?)"
-    exit 4
-elif [ $nova_present -eq 2 ]; then
-    echo "Unable to proceed without connection to nova database"
-    exit 5
-elif [ $placement_present -eq 2 ]; then
-    echo "Unable to proceed without connection to placement database"
-    exit 5
-elif [ $placement_cli -eq 1 ]; then
-    echo "Unable to proceed without placement installed"
-    exit 6
-elif [ $placement_cli -eq 2 ]; then
-    echo "The 'placement-manage db version' command fails"
-    echo "Is placement.conf configured to access the new database?"
-    exit 6
-fi
-
-# If we get here, we expect to be able to migrate. Require them to opt into
-# actual migration before we do anything.
-
-echo Nova database contains data, placement database does not. Okay to proceed with migration
-
-if getflag migrate $*; then
-    if getflag skip-locks $*; then
-        migrate_data NOVA_API PLACEMENT "--skip-lock-tables --skip-add-locks"
-    else
-        migrate_data NOVA_API PLACEMENT
-    fi
-    placement-manage db stamp $INITIAL_PLACEMENT_DB_VERSION
-else
-    echo "To actually migrate, run me with --migrate"
-fi
-
-rm -f $LAST_MYSQL_ERR
diff --git a/charts/placement/templates/configmap-bin.yaml b/charts/placement/templates/configmap-bin.yaml
index 4fc59ce..0bc5546 100644
--- a/charts/placement/templates/configmap-bin.yaml
+++ b/charts/placement/templates/configmap-bin.yaml
@@ -30,14 +30,10 @@
 {{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
   db-drop.py: |
 {{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
-  db-migrate.sh: |
-{{ tuple "bin/_db-migrate.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   ks-service.sh: |
 {{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
   ks-endpoints.sh: |
 {{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
   ks-user.sh: |
 {{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
-  mysql-migrate-db.sh: |
-{{ tuple "bin/_mysql-migrate-db.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}
diff --git a/charts/placement/templates/deployment.yaml b/charts/placement/templates/deployment.yaml
index 9dcde00..605f952 100644
--- a/charts/placement/templates/deployment.yaml
+++ b/charts/placement/templates/deployment.yaml
@@ -64,6 +64,11 @@
 {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/placement/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/placement-api.sh
             - start
@@ -75,16 +80,19 @@
                   - stop
           ports:
             - name: p-api
-              containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              containerPort: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           readinessProbe:
-            # NOTE(portdirect): use tcpSocket check as HTTP will return 401
-            tcpSocket:
-              port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 15
             periodSeconds: 10
           livenessProbe:
-            tcpSocket:
-              port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            httpGet:
+              scheme: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+              path: /
+              port: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
             initialDelaySeconds: 50
             periodSeconds: 10
           volumeMounts:
@@ -115,7 +123,7 @@
               subPath: wsgi-placement.conf
               readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -131,6 +139,6 @@
             secretName: placement-etc
             defaultMode: 0444
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/placement/templates/job-db-migrate.yaml b/charts/placement/templates/job-db-migrate.yaml
deleted file mode 100644
index 1b7f863..0000000
--- a/charts/placement/templates/job-db-migrate.yaml
+++ /dev/null
@@ -1,108 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.job_db_migrate }}
-{{- $envAll := . }}
-{{- $serviceAccountName := "placement-db-migrate" -}}
-{{- $service := "db_migrate" -}}
-{{ tuple $envAll $service $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: placement-db-migrate
-  labels:
-{{ tuple $envAll "placement" "db-migrate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  annotations:
-{{- if .Values.helm3_hook }}
-    helm.sh/hook: post-install,post-upgrade
-    helm.sh/hook-weight: "-4"
-{{- end }}
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
-spec:
-  template:
-    metadata:
-      labels:
-{{ tuple $envAll "placement" $service  | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
-      annotations:
-{{ dict "envAll" $envAll "podName" "placement-db-migrate" "containerNames" (list "placement-mysql-migration" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
-    spec:
-      serviceAccountName: {{ $serviceAccountName }}
-{{ dict "envAll" $envAll "application" "placement" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
-      restartPolicy: OnFailure
-      nodeSelector:
-        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
-{{ if $envAll.Values.pod.tolerations.placement.enabled }}
-{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
-{{ end }}
-      initContainers:
-{{ tuple $envAll $service list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
-      containers:
-        - name: placement-mysql-migration
-{{ tuple $envAll $service | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "placement" "container" "placement_mysql_migration" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/db-migrate.sh
-          env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
-{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
-{{- end }}
-            - name: NOVA_API_USER
-              value: {{ .Values.endpoints.oslo_db.auth.nova_api.username | quote }}
-            - name: NOVA_API_PASS
-              value: {{ .Values.endpoints.oslo_db.auth.nova_api.password | quote }}
-            - name: NOVA_API_DB_HOST
-              value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
-            - name: PLACEMENT_USER
-              value: {{ .Values.endpoints.oslo_db.auth.placement.username | quote }}
-            - name: PLACEMENT_PASS
-              value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }}
-            - name: PLACEMENT_DB_HOST
-              value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
-{{- if $envAll.Values.manifests.certificates }}
-            - name: MARIADB_X509
-              value: "REQUIRE X509"
-{{- end }}
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: placement-bin
-              mountPath: /tmp/mysql-migrate-db.sh
-              subPath: mysql-migrate-db.sh
-              readOnly: true
-            - name: placement-bin
-              mountPath: /tmp/db-migrate.sh
-              subPath: db-migrate.sh
-              readOnly: true
-            - name: placement-etc
-              mountPath: /etc/placement/placement.conf
-              subPath: placement.conf
-              readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-      volumes:
-        - name: pod-tmp
-          emptyDir: {}
-        - name: placement-bin
-          configMap:
-            name: placement-bin
-            defaultMode: 0555
-        - name: placement-etc
-          secret:
-            secretName: placement-etc
-            defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
diff --git a/charts/placement/templates/job-ks-endpoints.yaml b/charts/placement/templates/job-ks-endpoints.yaml
index 111ba33..bfb0bd2 100644
--- a/charts/placement/templates/job-ks-endpoints.yaml
+++ b/charts/placement/templates/job-ks-endpoints.yaml
@@ -21,7 +21,7 @@
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/placement/templates/job-ks-service.yaml b/charts/placement/templates/job-ks-service.yaml
index 10e45bd..3f05eb0 100644
--- a/charts/placement/templates/job-ks-service.yaml
+++ b/charts/placement/templates/job-ks-service.yaml
@@ -21,7 +21,7 @@
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/placement/templates/job-ks-user.yaml b/charts/placement/templates/job-ks-user.yaml
index 2c1a002..056938b 100644
--- a/charts/placement/templates/job-ks-user.yaml
+++ b/charts/placement/templates/job-ks-user.yaml
@@ -21,7 +21,7 @@
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/charts/placement/templates/service.yaml b/charts/placement/templates/service.yaml
index 3d9bd01..aa0168e 100644
--- a/charts/placement/templates/service.yaml
+++ b/charts/placement/templates/service.yaml
@@ -24,7 +24,7 @@
 spec:
   ports:
   - name: p-api
-    port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    port: {{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     {{ if .Values.network.api.node_port.enabled }}
     nodePort: {{ .Values.network.api.node_port.port }}
     {{ end }}
diff --git a/charts/placement/values.yaml b/charts/placement/values.yaml
index 578d947..ff33660 100644
--- a/charts/placement/values.yaml
+++ b/charts/placement/values.yaml
@@ -36,7 +36,6 @@
     ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
     db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
     db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
-    db_migrate: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic
     placement_db_sync: docker.io/openstackhelm/placement:stein-ubuntu_bionic
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
     image_repo_sync: docker.io/docker:17.07.0
@@ -74,44 +73,7 @@
       #   - status
       a2enmod: null
       a2dismod: null
-  policy:
-    "context_is_admin": "role:admin"
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
-    "default": "rule:admin_or_owner"
-    "admin_api": "role:admin"
-    "placement:resource_providers:list": "rule:admin_api"
-    "placement:resource_providers:create": "rule:admin_api"
-    "placement:resource_providers:show": "rule:admin_api"
-    "placement:resource_providers:update": "rule:admin_api"
-    "placement:resource_providers:delete": "rule:admin_api"
-    "placement:resource_classes:list": "rule:admin_api"
-    "placement:resource_classes:create": "rule:admin_api"
-    "placement:resource_classes:show": "rule:admin_api"
-    "placement:resource_classes:update": "rule:admin_api"
-    "placement:resource_classes:delete": "rule:admin_api"
-    "placement:resource_providers:inventories:list": "rule:admin_api"
-    "placement:resource_providers:inventories:create": "rule:admin_api"
-    "placement:resource_providers:inventories:show": "rule:admin_api"
-    "placement:resource_providers:inventories:update": "rule:admin_api"
-    "placement:resource_providers:inventories:delete": "rule:admin_api"
-    "placement:resource_providers:aggregates:list": "rule:admin_api"
-    "placement:resource_providers:aggregates:update": "rule:admin_api"
-    "placement:resource_providers:usages": "rule:admin_api"
-    "placement:usages": "rule:admin_api"
-    "placement:traits:list": "rule:admin_api"
-    "placement:traits:show": "rule:admin_api"
-    "placement:traits:update": "rule:admin_api"
-    "placement:traits:delete": "rule:admin_api"
-    "placement:resource_providers:traits:list": "rule:admin_api"
-    "placement:resource_providers:traits:update": "rule:admin_api"
-    "placement:resource_providers:traits:delete": "rule:admin_api"
-    "placement:allocations:manage": "rule:admin_api"
-    "placement:allocations:list": "rule:admin_api"
-    "placement:allocations:update": "rule:admin_api"
-    "placement:allocations:delete": "rule:admin_api"
-    "placement:resource_providers:allocations:list": "rule:admin_api"
-    "placement:allocation_candidates:list": "rule:admin_api"
-    "placement:reshaper:reshape": "rule:admin_api"
+  policy: {}
   placement:
     DEFAULT:
       debug: false
@@ -184,13 +146,13 @@
       format: "%(message)s"
       datefmt: "%Y-%m-%d %H:%M:%S"
   wsgi_placement: |
-    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    Listen 0.0.0.0:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
     LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
     CustomLog /dev/stdout combined env=!forwarded
     CustomLog /dev/stdout proxy env=forwarded
-    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+    <VirtualHost *:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
         WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
         WSGIProcessGroup placement-api
         WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
@@ -325,10 +287,12 @@
       default: /
     scheme:
       default: 'http'
+      service: 'http'
     port:
       api:
         default: 8778
         public: 80
+        service: 8778
 
 pod:
   security_context:
@@ -408,13 +372,6 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
-      db_migrate:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
       ks_endpoints:
         requests:
           memory: "128Mi"
@@ -491,18 +448,9 @@
       services:
         - endpoint: internal
           service: oslo_db
-    db_migrate:
-      jobs:
-        - placement-db-init
-        - nova-db-sync
-      services:
-        - endpoint: internal
-          service: oslo_db
     db_sync:
       jobs:
         - placement-db-init
-        # NOTE: This needs to be enabled if placement migration is required.
-        # - placement-db-migrate
       services:
         - endpoint: internal
           service: oslo_db
@@ -511,6 +459,11 @@
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
@@ -520,7 +473,6 @@
   job_db_init: true
   job_db_sync: true
   job_db_drop: false
-  job_db_migrate: false
   job_ks_endpoints: true
   job_ks_service: true
   job_ks_user: true
diff --git a/charts/placement/values_overrides/apparmor.yaml b/charts/placement/values_overrides/apparmor.yaml
index 84ca750..ee883ac 100644
--- a/charts/placement/values_overrides/apparmor.yaml
+++ b/charts/placement/values_overrides/apparmor.yaml
@@ -5,10 +5,4 @@
     placement-api:
       placement-api: runtime/default
       init: runtime/default
-    placement-db-migrate:
-      init: runtime/default
-      placement-mysql-migration: runtime/default
-
-manifests:
-  job_db_migrate: true
 ...
diff --git a/charts/placement/values_overrides/tls-offloading.yaml b/charts/placement/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000..ff97285
--- /dev/null
+++ b/charts/placement/values_overrides/tls-offloading.yaml
@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      placement:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/charts/placement/values_overrides/tls.yaml b/charts/placement/values_overrides/tls.yaml
index adfd359..514b660 100644
--- a/charts/placement/values_overrides/tls.yaml
+++ b/charts/placement/values_overrides/tls.yaml
@@ -13,13 +13,13 @@
     keystone_authtoken:
       cafile: /etc/placement/certs/ca.crt
   wsgi_placement: |
-    Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+    Listen 0.0.0.0:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
     LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
     CustomLog /dev/stdout combined env=!forwarded
     CustomLog /dev/stdout proxy env=forwarded
-    <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+    <VirtualHost *:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
       ServerName {{ printf "%s.%s.svc.%s" "placement-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
       WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
       WSGIProcessGroup placement-api
@@ -71,6 +71,7 @@
             kind: ClusterIssuer
     scheme:
       default: https
+      service: https
     port:
       api:
         public: 443
diff --git a/charts/placement/values_overrides/train-ubuntu_bionic.yaml b/charts/placement/values_overrides/train-ubuntu_bionic.yaml
deleted file mode 100644
index d721085..0000000
--- a/charts/placement/values_overrides/train-ubuntu_bionic.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-images:
-  pull_policy: IfNotPresent
-  tags:
-    placement: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
-    ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
-    ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
-    ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
-    db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
-    db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
-    placement_db_sync: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
-    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
-    image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
-dependencies:
-  static:
-    db_sync:
-      jobs:
-        - placement-db-init
-        - placement-db-migrate
-...
diff --git a/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml b/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
deleted file mode 100644
index 6f19c55..0000000
--- a/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-images:
-  pull_policy: IfNotPresent
-  tags:
-    placement: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
-    ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
-    ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
-    ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
-    db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
-    db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
-    placement_db_sync: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
-    dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
-    image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
-dependencies:
-  static:
-    db_sync:
-      jobs:
-        - placement-db-init
-        - placement-db-migrate
-...
diff --git a/charts/placement/values_overrides/victoria-ubuntu_focal.yaml b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
index 1c94633..55a4693 100644
--- a/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
+++ b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
@@ -8,16 +8,12 @@
     ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
     db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
     db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
     placement_db_sync: "docker.io/openstackhelm/placement:victoria-ubuntu_focal"
     dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
     image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
 dependencies:
   static:
     db_sync:
       jobs:
         - placement-db-init
-        - placement-db-migrate
 ...
diff --git a/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
index 9122f5b..47cf660 100644
--- a/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
+++ b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
@@ -8,16 +8,12 @@
     ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
     db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
     db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
     placement_db_sync: "docker.io/openstackhelm/placement:wallaby-ubuntu_focal"
     dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
     image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
 dependencies:
   static:
     db_sync:
       jobs:
         - placement-db-init
-        - placement-db-migrate
 ...
diff --git a/charts/placement/values_overrides/xena-ubuntu_focal.yaml b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
index c8355d9..68baf2c 100644
--- a/charts/placement/values_overrides/xena-ubuntu_focal.yaml
+++ b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
@@ -8,16 +8,12 @@
     ks_endpoints: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
     db_init: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
     db_drop: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
     placement_db_sync: "docker.io/openstackhelm/placement:xena-ubuntu_focal"
     dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
     image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
 dependencies:
   static:
     db_sync:
       jobs:
         - placement-db-init
-        - placement-db-migrate
 ...
diff --git a/charts/placement/values_overrides/yoga-ubuntu_focal.yaml b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
index b508709..46fdb90 100644
--- a/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
+++ b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
@@ -8,16 +8,12 @@
     ks_endpoints: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
     db_init: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
     db_drop: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
-    db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
     placement_db_sync: "docker.io/openstackhelm/placement:yoga-ubuntu_focal"
     dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
     image_repo_sync: "docker.io/docker:17.07.0"
-manifests:
-  job_db_migrate: true
 dependencies:
   static:
     db_sync:
       jobs:
         - placement-db-init
-        - placement-db-migrate
 ...
diff --git a/charts/senlin/Chart.yaml b/charts/senlin/Chart.yaml
index e1614ff..2331440 100644
--- a/charts/senlin/Chart.yaml
+++ b/charts/senlin/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/senlin
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.6
+version: 0.2.8
diff --git a/charts/senlin/charts/helm-toolkit/Chart.yaml b/charts/senlin/charts/helm-toolkit/Chart.yaml
index d90280e..12e2dd2 100644
--- a/charts/senlin/charts/helm-toolkit/Chart.yaml
+++ b/charts/senlin/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.44
+version: 0.2.50
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 7846895..4c476b2 100644
--- a/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
 {{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
 {{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -718,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..687851e 100644
--- a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Calculation remote file SHA256 hash
+  REMOTE_FILE=$(mktemp -p /tmp)
+  openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+  if [[ $? -ne 0 ]]; then
+    log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+    rm -rf ${REMOTE_FILE}
+    return 1
+  fi
+
+  # Remote backup verification
+  SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+  SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+  if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+      return 1
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -382,8 +424,8 @@
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-    if [[ -f fd ]]; then
-      rm -f fd
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
     else
       log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
     fi
@@ -444,10 +486,6 @@
 
   cd $ARCHIVE_DIR
 
-  # Remove the temporary directory and files as they are no longer needed.
-  rm -rf $TMP_DIR
-  rm -f $ERR_LOG_FILE
-
   #Only delete the old archive after a successful archive
   export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
   if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +497,25 @@
     done
   fi
 
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
+  # Remove the temporary directory and files as they are no longer needed.
+  rm -rf $TMP_DIR
+  rm -f $ERR_LOG_FILE
+
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -490,7 +547,7 @@
       get_backup_prefix $(cat $DB_BACKUP_FILES)
       for ((i=0; i<${#PREFIXES[@]}; i++)); do
         echo "Working with prefix: ${PREFIXES[i]}"
-        create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
         remove_old_remote_archives
       done
     fi
@@ -511,4 +568,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/requirements.lock b/charts/senlin/requirements.lock
index 8fc523d..6af93d9 100644
--- a/charts/senlin/requirements.lock
+++ b/charts/senlin/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../../openstack-helm-infra/helm-toolkit
-  version: 0.2.44
-digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
-generated: "2022-08-10T23:42:35.775397606Z"
+  version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:16.929483229Z"
diff --git a/charts/senlin/templates/secret-registry.yaml b/charts/senlin/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/senlin/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/senlin/values.yaml b/charts/senlin/values.yaml
index b245bd3..5bd7f45 100644
--- a/charts/senlin/values.yaml
+++ b/charts/senlin/values.yaml
@@ -123,53 +123,7 @@
       senlin.filter_factory: senlin.api.middleware:webhook_filter
     filter:authtoken:
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
-  policy:
-    context_is_admin: role:admin
-    deny_everybody: "!"
-    build_info:build_info: ''
-    profile_types:index: ''
-    profile_types:get: ''
-    policy_types:index: ''
-    policy_types:get: ''
-    clusters:index: ''
-    clusters:create: ''
-    clusters:delete: ''
-    clusters:get: ''
-    clusters:action: ''
-    clusters:update: ''
-    clusters:collect: ''
-    profiles:index: ''
-    profiles:create: ''
-    profiles:get: ''
-    profiles:delete: ''
-    profiles:update: ''
-    profiles:validate: ''
-    nodes:index: ''
-    nodes:create: ''
-    nodes:get: ''
-    nodes:action: ''
-    nodes:update: ''
-    nodes:delete: ''
-    policies:index: ''
-    policies:create: ''
-    policies:get: ''
-    policies:update: ''
-    policies:delete: ''
-    policies:validate: ''
-    cluster_policies:index: ''
-    cluster_policies:attach: ''
-    cluster_policies:detach: ''
-    cluster_policies:update: ''
-    cluster_policies:get: ''
-    receivers:index: ''
-    receivers:create: ''
-    receivers:get: ''
-    receivers:delete: ''
-    actions:index: ''
-    actions:get: ''
-    events:index: ''
-    events:get: ''
-    webhooks:trigger: ''
+  policy: {}
   senlin:
     DEFAULT:
       log_config_append: /etc/senlin/logging.conf
@@ -389,6 +343,8 @@
   oslo_messaging:
     admin: senlin-rabbitmq-admin
     senlin: senlin-rabbitmq-user
+  oci_image_registry:
+    senlin: senlin-oci-image-registry
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -407,6 +363,21 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      senlin:
+        username: senlin
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
   identity:
     name: keystone
     auth:
@@ -744,6 +715,7 @@
   secret_db: true
   secret_keystone: true
   secret_rabbitmq: true
+  secret_registry: true
   service_ingress_api: true
   service_api: true
 ...
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 662a0bf..c754e78 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -86,11 +86,11 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/glance-${GLANCE_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-CINDER_VERSION=0.2.25
+CINDER_VERSION=0.3.2
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/cinder-${CINDER_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-PLACEMENT_VERSION=0.2.10
+PLACEMENT_VERSION=0.3.2
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/placement-${PLACEMENT_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
@@ -110,15 +110,15 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-SENLIN_VERSION=0.2.6
+SENLIN_VERSION=0.2.8
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/senlin-${SENLIN_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-DESIGNATE_VERSION=0.2.7
+DESIGNATE_VERSION=0.2.8
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/designate-${DESIGNATE_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-HEAT_VERSION=0.2.8
+HEAT_VERSION=0.3.1
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/heat-${HEAT_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
@@ -130,7 +130,7 @@
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/magnum-${MAGNUM_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
-HORIZON_VERSION=0.2.24
+HORIZON_VERSION=0.3.1
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/horizon-${HORIZON_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 
diff --git a/plugins/filter/openstack_helm_image_tags.py b/plugins/filter/openstack_helm_image_tags.py
index b5a1ff5..f3fa663 100644
--- a/plugins/filter/openstack_helm_image_tags.py
+++ b/plugins/filter/openstack_helm_image_tags.py
@@ -55,7 +55,6 @@
 """
 
 SKIP_LIST = [
-    "db_migrate",
     "image_repo_sync",
     "nova_wait_for_computes_init",
     "purge_test",
diff --git a/roles/openstack_helm_horizon/vars/main.yml b/roles/openstack_helm_horizon/vars/main.yml
index e7d80fc..bcb7441 100644
--- a/roles/openstack_helm_horizon/vars/main.yml
+++ b/roles/openstack_helm_horizon/vars/main.yml
@@ -27,12 +27,6 @@
           secure_proxy_ssl_header: "True"
           horizon_images_upload_mode: direct
           openstack_enable_password_retrieve: "True"
-          # TODO(mnaser): We should drop `openstack_api_versions` once we fix the upstream change which
-          #               broke it by hard-coding to "1.19" which is not a valid microversion.
-          #
-          #               https://review.opendev.org/c/openstack/openstack-helm/+/870110
-          openstack_api_versions:
-            container_infra: "1.10"
           raw:
             WEBSSO_KEYSTONE_URL: https://{{ openstack_helm_endpoints['identity']['host_fqdn_override']['public']['host'] }}/v3
       local_settings_d: