Sync upstream patch fir libvirt vencrypt
diff --git a/charts/libvirt/Chart.yaml b/charts/libvirt/Chart.yaml
index 68ea762..e43081d 100644
--- a/charts/libvirt/Chart.yaml
+++ b/charts/libvirt/Chart.yaml
@@ -8,4 +8,4 @@
 sources:
 - https://libvirt.org/git/?p=libvirt.git;a=summary
 - https://opendev.org/openstack/openstack-helm
-version: 0.1.8
+version: 0.1.23
diff --git a/charts/libvirt/charts/helm-toolkit/Chart.yaml b/charts/libvirt/charts/helm-toolkit/Chart.yaml
index a0ccd1d..e6aec81 100644
--- a/charts/libvirt/charts/helm-toolkit/Chart.yaml
+++ b/charts/libvirt/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/openstack-helm-infra
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.34
+version: 0.2.54
diff --git a/charts/libvirt/charts/helm-toolkit/requirements.lock b/charts/libvirt/charts/helm-toolkit/requirements.lock
index da47547..e30fa2c 100644
--- a/charts/libvirt/charts/helm-toolkit/requirements.lock
+++ b/charts/libvirt/charts/helm-toolkit/requirements.lock
@@ -1,3 +1,3 @@
 dependencies: []
 digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
-generated: "2022-03-21T18:35:07.074136695Z"
+generated: "2023-08-29T21:31:03.922050828Z"
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
 {{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
 {{- end }}
 {{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
 {{- $vHosts := list $hostNameFull }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
 {{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
 {{- $vHosts = append $vHosts $v }}
 {{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
 {{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
 {{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
   tls:
@@ -716,7 +717,6 @@
 {{- end }}
 {{- end }}
 {{- end }}
-{{- end }}
   rules:
 {{- range $vHost := $vHosts }}
 {{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
index 3cc07cc..5d98c8b 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -23,6 +23,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $podVolMounts := index . "podVolMounts" | default false -}}
 {{- $podVols := index . "podVols" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
@@ -73,6 +74,9 @@
       {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
index 91fd5ad..62ed119 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -28,6 +28,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
 {{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
@@ -74,6 +75,9 @@
       {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
index b3348f5..745e8da 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -28,6 +28,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
 {{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
@@ -74,6 +75,9 @@
       {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
index 0376343..24d2496 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -23,6 +23,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
 {{- $podVolMounts := index . "podVolMounts" | default false -}}
@@ -71,6 +72,9 @@
       {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
index 2d130e1..3a7df7f 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -24,6 +24,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $tlsSecret := index . "tlsSecret" | default "" -}}
@@ -74,6 +75,9 @@
       {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
index 8347b58..a109e3c 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -24,6 +24,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $tlsSecret := index . "tlsSecret" | default "" -}}
@@ -74,6 +75,9 @@
       {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index 80960f4..905eb71 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -45,6 +45,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $serviceUser := index . "serviceUser" | default $serviceName -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -97,6 +98,9 @@
       {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
index 7ecacce..6982064 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -18,6 +18,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $serviceUser := index . "serviceUser" | default $serviceName -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -64,6 +65,9 @@
       {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
index 9dc2859..29cb993 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -23,6 +23,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -69,6 +70,9 @@
       {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
index 3dd407e..50d9af5 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -23,6 +23,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -67,6 +68,9 @@
       {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
         - name: ceph-keyring-placement
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
index 6fed825..0906df4 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -23,6 +23,7 @@
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $podVolMounts := index . "podVolMounts" | default false -}}
 {{- $podVols := index . "podVols" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
@@ -66,6 +67,9 @@
       {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
       initContainers:
 {{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
       containers:
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Creates a manifest for a authenticating a registry with a secret
+examples:
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+
+  - values: |
+      secrets:
+        oci_image_registry:
+          {{ $serviceName }}: {{ $keyName }}
+      endpoints:
+        oci_image_registry:
+          name: oci-image-registry
+          auth:
+            enabled: true
+             {{ $serviceName }}:
+                name: {{ $userName }}
+                password: {{ $password }}
+  usage: |
+    {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+  return: |
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ $secretName }}
+    type: kubernetes.io/dockerconfigjson
+    data:
+      dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
index 4294d40..6027b95 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -133,8 +133,10 @@
 # Create DB User
 try:
     root_engine.execute(
-        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
-            database, user, password, mysql_x509))
+        "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format(
+            user, password, mysql_x509))
+    root_engine.execute(
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user))
     logger.info("Created user {0} for {1}".format(user, database))
 except:
     logger.critical("Could not create user {0} for {1}".format(user, database))
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
   password="${RABBITMQ_PASSWORD}" \
   tags="user"
 
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+  delete user \
+  name="guest" || true
+
 if [ "${RABBITMQ_VHOST}" != "/" ]
 then
   echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index cdc9ff5..3963bd4 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
 #       framework will automatically tar/zip the files in that directory and
 #       name the tarball appropriately according to the proper conventions.
 #
+#   verify_databases_backup_archives [scope]
+#       returns: 0 if no errors; 1 if any errors occurred
+#
+#       This function is expected to verify the database backup archives. If this function
+#        completes successfully (returns 0), the
+#       framework will automatically starts remote backup upload.
+#
+#
 # The functions in this file will take care of:
 #   1) Calling "dump_databases_to_directory" and then compressing the files,
 #      naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
   exit $ERRCODE
 }
 
+log_verify_backup_exit() {
+  MSG=$1
+  ERRCODE=${2:-0}
+  log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+  rm -f $ERR_LOG_FILE
+  # rm -rf $TMP_DIR
+  exit $ERRCODE
+}
+
+
 log() {
   #Log message to a file or stdout
   #TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -195,18 +213,38 @@
     fi
   fi
 
+  # load balance delay
+  DELAY=$((1 + ${RANDOM} % 30))
+  echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+  sleep ${DELAY}
+
   # Create an object to store the file
   openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
     return 2
   fi
+
   openstack object show $CONTAINER_NAME $FILE
   if [[ $? -ne 0 ]]; then
     log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
     return 2
   fi
 
+  # Remote backup verification
+  MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag")
+  MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}')
+  log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME."
+  log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}."
+  log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}."
+  if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then
+      log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME."
+  else
+      log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values"
+      return 2
+  fi
+  rm -rf ${REMOTE_FILE}
+
   log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
   return 0
 }
@@ -253,6 +291,16 @@
   return 1
 }
 
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+  local A_FILE="$1"
+  awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
 # This function takes a list of archives' names as an input
 # and creates a hash table where keys are number of seconds
 # between current date and archive date (see seconds_difference),
@@ -271,40 +319,63 @@
 # possible case, when we have several backups of the same date. E.g.
 # one manual, and one automatic.
 
-declare -A FILETABLE
+declare -A fileTable
 create_hash_table() {
-unset FILETABLE
+unset fileTable
 fileList=$@
   for ARCHIVE_FILE in ${fileList}; do
-    ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
     # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
     # to take in account a possibility, that we can have more than one scheduled
     # backup per day.
-    INDEX=$(seconds_difference $(date --date $ARCHIVE_DATE +"%D"))
-    if [[ -z FILETABLE[${INDEX}] ]]; then
-      FILETABLE[${INDEX}]=${ARCHIVE_FILE}
+    ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+    ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+    log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+    INDEX=$(seconds_difference ${ARCHIVE_DATE})
+    if [[ -z fileTable[${INDEX}] ]]; then
+      fileTable[${INDEX}]=${ARCHIVE_FILE}
     else
-      FILETABLE[${INDEX}]="${FILETABLE[${INDEX}]} ${ARCHIVE_FILE}"
+      fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
     fi
-    echo "INDEX: ${INDEX} VALUE:  ${FILETABLE[${INDEX}]}"
+    echo "INDEX: ${INDEX} VALUE:  ${fileTable[${INDEX}]}"
  done
 }
 
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+  ALL_FILES=($@)
+  PREFIXES=()
+  for fname in ${ALL_FILES[@]}; do
+    prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+    for ((i=0; i<${#PREFIXES[@]}; i++)) do
+      if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+        prefix=""
+        break
+      fi
+    done
+    if [[ ! -z ${prefix} ]]; then
+        PREFIXES+=(${prefix})
+    fi
+  done
+}
+
 remove_old_local_archives() {
+  SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
   if [[ -d $ARCHIVE_DIR ]]; then
     count=0
-    SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
-    log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
     # We iterate over the hash table, checking the delta in seconds (hash keys),
     # and minimum number of backups we must have in place. List of keys has to be sorted.
-    for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-      ARCHIVE_FILE=${FILETABLE[${INDEX}]}
-      if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+    for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+      ARCHIVE_FILE=${fileTable[${INDEX}]}
+      if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
         ((count++))
         log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
       else
         log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
-          rm -rf $ARCHIVE_FILE
+          rm -f ${ARCHIVE_FILE}
           if [[ $? -ne 0 ]]; then
             # Log error but don't exit so we can finish the script
             # because at this point we haven't sent backup to RGW yet
@@ -332,27 +403,29 @@
 # The logic implemented with this function is absolutely similar
 # to the function remove_old_local_archives (see above)
 remove_old_remote_archives() {
-  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days"
   count=0
   SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
-  for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
-    ARCHIVE_FILE=${FILETABLE[${INDEX}]}
-    if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+  log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+  for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+    ARCHIVE_FILE=${fileTable[${INDEX}]}
+    if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
       ((count++))
       log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
     else
       log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
-      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log_backup_error_exit \
-        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}!"
+      openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} ||  log WARN "${DB_NAME}_backup" \
+        "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
     fi
   done
 
   # Cleanup now that we're done.
   for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
-  if [[ -f fd ]]; then
-    rm -f fd
-  else
-    log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    if [[ -f ${fd} ]]; then
+      rm -f ${fd}
+    else
+      log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+    fi
+  done
 }
 
 # Main function to backup the databases. Calling functions need to supply:
@@ -409,17 +482,36 @@
 
   cd $ARCHIVE_DIR
 
+  #Only delete the old archive after a successful archive
+  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+    get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+    for ((i=0; i<${#PREFIXES[@]}; i++)); do
+      echo "Working with prefix: ${PREFIXES[i]}"
+      create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+      remove_old_local_archives
+    done
+  fi
+
+  # Local backup verification process
+
+  # It is expected that this function will verify the database backup files
+  if verify_databases_backup_archives ${SCOPE}; then
+    log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+  else
+    # If successful, there should be at least one file in the TMP_DIR
+    if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+      cat $ERR_LOG_FILE
+    fi
+    log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+    exit 1
+  fi
+
   # Remove the temporary directory and files as they are no longer needed.
   rm -rf $TMP_DIR
   rm -f $ERR_LOG_FILE
 
-  #Only delete the old archive after a successful archive
-  export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
-  if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
-    create_hash_table $(ls -1 $ARCHIVE_DIR/*.gz)
-    remove_old_local_archives
-  fi
-
+  # Remote backup
   REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
   if $REMOTE_BACKUP; then
     # Remove Quotes from the constants which were added due to reading
@@ -448,8 +540,12 @@
     #Only delete the old archive after a successful archive
     if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
       prepare_list_of_remote_backups
-      create_hash_table $(cat $DB_BACKUP_FILES)
-      remove_old_remote_archives
+      get_backup_prefix $(cat $DB_BACKUP_FILES)
+      for ((i=0; i<${#PREFIXES[@]}; i++)); do
+        echo "Working with prefix: ${PREFIXES[i]}"
+        create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+        remove_old_remote_archives
+      done
     fi
 
     echo "=================================================================="
@@ -468,4 +564,4 @@
     echo "=================================================================="
   fi
 }
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
index c2de3aa..093dd2c 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -269,7 +269,7 @@
       echo "=============================================="
       for archive in $archives
       do
-        echo $archive | cut -d '/' -f 8
+        echo $archive | cut -d '/' -f8-
       done
       clean_and_exit 0 ""
     else
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
 metadata:
   name: {{ $saName }}
   namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+  - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
 {{- range $k, $v := $deps -}}
 {{- if eq $k "services" }}
 {{- range $serv := $v }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
index b99c00d..4a88dd8 100644
--- a/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -27,10 +27,12 @@
 {{- else if kindIs "slice" $dependencyMixinParam }}
 {{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
 {{- range $k, $v := $dependencyMixinParam -}}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }}
 {{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
 {{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
 {{- end }}
 {{- end }}
+{{- end }}
 {{- else -}}
 {{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
 {{- end -}}
diff --git a/charts/libvirt/requirements.lock b/charts/libvirt/requirements.lock
index ace5688..b17183c 100644
--- a/charts/libvirt/requirements.lock
+++ b/charts/libvirt/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: helm-toolkit
   repository: file://../helm-toolkit
-  version: 0.2.34
-digest: sha256:3e751b6e287477a9313edb791085b4430ca0a7fb983ea4b5245a825dc7e22619
-generated: "2022-03-21T18:35:10.37140708Z"
+  version: 0.2.54
+digest: sha256:dd4dba67518d3c1ed79bf1663fbb9379b51c4a5d985f8a4884f4e9d168ab940d
+generated: "2023-08-29T21:31:15.740665119Z"
diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
deleted file mode 100644
index a352219..0000000
--- a/charts/libvirt/templates/bin/_cert-init.sh.tpl
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/bin/bash
-
-{{/*
-Copyright (c) 2023 VEXXHOST, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-cat <<EOF | kubectl apply -f -
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ${POD_NAME}-${TYPE}
-  namespace: ${POD_NAMESPACE}
-  ownerReferences:
-    - apiVersion: v1
-      kind: Pod
-      name: ${POD_NAME}
-      uid: ${POD_UID}
-spec:
-  secretName: ${POD_NAME}-${TYPE}
-  commonName: ${POD_IP}
-  usages:
-  - client auth
-  - server auth
-  dnsNames:
-  - ${HOSTNAME}
-  ipAddresses:
-  - ${POD_IP}
-  issuerRef:
-    kind: Issuer
-    name: libvirt-${TYPE}
-EOF
-
-kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
-  certificate/${POD_NAME}-${TYPE}
-
-# NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
-#               is deleted, so we should add an owner reference to the secret
-#               to ensure that it is cleaned up when the pod is deleted.
-kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
-  --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
-
-kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
-kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
-kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
index 62ab1f6..357bfe3 100644
--- a/charts/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl
@@ -16,24 +16,6 @@
 
 set -ex
 
-# NOTE(mnaser): This will move the API certificates into the expected location.
-if [ -f /tmp/api.crt ]; then
-  mkdir -p /etc/pki/CA /etc/pki/libvirt/private
-
-  cp /tmp/api-ca.crt {{ .Values.conf.libvirt.ca_file }}
-  cp /tmp/api-ca.crt /etc/pki/qemu/ca-cert.pem
-
-  cp /tmp/api.crt {{ .Values.conf.libvirt.cert_file }}
-  cp /tmp/api.crt /etc/pki/libvirt/clientcert.pem
-  cp /tmp/api.crt /etc/pki/qemu/server-cert.pem
-  cp /tmp/api.crt /etc/pki/qemu/client-cert.pem
-
-  cp /tmp/api.key {{ .Values.conf.libvirt.key_file }}
-  cp /tmp/api.key /etc/pki/libvirt/private/clientkey.pem
-  cp /tmp/api.key /etc/pki/qemu/server-key.pem
-  cp /tmp/api.key /etc/pki/qemu/client-key.pem
-fi
-
 # NOTE(mnaser): This will move the VNC certificates into the expected location.
 if [ -f /tmp/vnc.crt ]; then
   mkdir -p /etc/pki/libvirt-vnc
@@ -42,6 +24,13 @@
   mv /tmp/vnc-ca.crt /etc/pki/libvirt-vnc/ca-cert.pem
 fi
 
+# TODO: We disable cgroup functionality for cgroup v2, we should fix this in the future
+if $(stat -fc %T /sys/fs/cgroup/ | grep -q cgroup2fs); then
+  CGROUP_VERSION=v2
+else
+  CGROUP_VERSION=v1
+fi
+
 if [ -n "$(cat /proc/*/comm 2>/dev/null | grep -w libvirtd)" ]; then
   set +x
   for proc in $(ls /proc/*/comm 2>/dev/null); do
@@ -64,14 +53,16 @@
     chown root:kvm /dev/kvm
 fi
 
-#Setup Cgroups to use when breaking out of Kubernetes defined groups
-CGROUPS=""
-for CGROUP in cpu rdma hugetlb; do
-  if [ -d /sys/fs/cgroup/${CGROUP} ]; then
-    CGROUPS+="${CGROUP},"
-  fi
-done
-cgcreate -g ${CGROUPS%,}:/osh-libvirt
+if [ $CGROUP_VERSION != "v2" ]; then
+  #Setup Cgroups to use when breaking out of Kubernetes defined groups
+  CGROUPS=""
+  for CGROUP in cpu rdma hugetlb; do
+    if [ -d /sys/fs/cgroup/${CGROUP} ]; then
+      CGROUPS+="${CGROUP},"
+    fi
+  done
+  cgcreate -g ${CGROUPS%,}:/osh-libvirt
+fi
 
 # We assume that if hugepage count > 0, then hugepages should be exposed to libvirt/qemu
 hp_count="$(cat /proc/meminfo | grep HugePages_Total | tr -cd '[:digit:]')"
@@ -94,43 +85,49 @@
     exit 1
   fi
 
-  # Kubernetes 1.10.x introduced cgroup changes that caused the container's
-  # hugepage byte limit quota to zero out. This workaround sets that pod limit
-  # back to the total number of hugepage bytes available to the baremetal host.
-  if [ -d /sys/fs/cgroup/hugetlb ]; then
-    limits="$(ls /sys/fs/cgroup/hugetlb/{{ .Values.conf.kubernetes.cgroup }}/hugetlb.*.limit_in_bytes)" || \
-      (echo "ERROR: Failed to locate any hugetable limits. Did you set the correct cgroup in your values used for this chart?"
-       exit 1)
-    for limit in $limits; do
-      target="/sys/fs/cgroup/hugetlb/$(dirname $(awk -F: '($2~/hugetlb/){print $3}' /proc/self/cgroup))/$(basename $limit)"
-      # Ensure the write target for the hugepage limit for the pod exists
-      if [ ! -f "$target" ]; then
-        echo "ERROR: Could not find write target for hugepage limit: $target"
-      fi
+  if [ $CGROUP_VERSION != "v2" ]; then
+    # Kubernetes 1.10.x introduced cgroup changes that caused the container's
+    # hugepage byte limit quota to zero out. This workaround sets that pod limit
+    # back to the total number of hugepage bytes available to the baremetal host.
+    if [ -d /sys/fs/cgroup/hugetlb ]; then
+      limits="$(ls /sys/fs/cgroup/hugetlb/{{ .Values.conf.kubernetes.cgroup }}/hugetlb.*.limit_in_bytes)" || \
+        (echo "ERROR: Failed to locate any hugetable limits. Did you set the correct cgroup in your values used for this chart?"
+         exit 1)
+      for limit in $limits; do
+        target="/sys/fs/cgroup/hugetlb/$(dirname $(awk -F: '($2~/hugetlb/){print $3}' /proc/self/cgroup))/$(basename $limit)"
+        # Ensure the write target for the hugepage limit for the pod exists
+        if [ ! -f "$target" ]; then
+          echo "ERROR: Could not find write target for hugepage limit: $target"
+        fi
 
-      # Write hugetable limit for pod
-      echo "$(cat $limit)" > "$target"
-    done
-  fi
+        # Write hugetable limit for pod
+        echo "$(cat $limit)" > "$target"
+      done
+    fi
 
-  # Determine OS default hugepage size to use for the hugepage write test
-  default_hp_kb="$(cat /proc/meminfo | grep Hugepagesize | tr -cd '[:digit:]')"
+    # Determine OS default hugepage size to use for the hugepage write test
+    default_hp_kb="$(cat /proc/meminfo | grep Hugepagesize | tr -cd '[:digit:]')"
 
-  # Attempt to write to the hugepage mount to ensure it is operational, but only
-  # if we have at least 1 free page.
-  num_free_pages="$(cat /sys/kernel/mm/hugepages/hugepages-${default_hp_kb}kB/free_hugepages | tr -cd '[:digit:]')"
-  echo "INFO: '$num_free_pages' free hugepages of size ${default_hp_kb}kB"
-  if [ 0"$num_free_pages" -gt 0 ]; then
-    (fallocate -o0 -l "$default_hp_kb" /dev/hugepages/foo && rm /dev/hugepages/foo) || \
-      (echo "ERROR: fallocate failed test at /dev/hugepages with size ${default_hp_kb}kB"
-       rm /dev/hugepages/foo
-       exit 1)
+    # Attempt to write to the hugepage mount to ensure it is operational, but only
+    # if we have at least 1 free page.
+    num_free_pages="$(cat /sys/kernel/mm/hugepages/hugepages-${default_hp_kb}kB/free_hugepages | tr -cd '[:digit:]')"
+    echo "INFO: '$num_free_pages' free hugepages of size ${default_hp_kb}kB"
+    if [ 0"$num_free_pages" -gt 0 ]; then
+      (fallocate -o0 -l "$default_hp_kb" /dev/hugepages/foo && rm /dev/hugepages/foo) || \
+        (echo "ERROR: fallocate failed test at /dev/hugepages with size ${default_hp_kb}kB"
+         rm /dev/hugepages/foo
+         exit 1)
+    fi
   fi
 fi
 
-if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
-  #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
-  cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
+if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] || [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+  if [ $CGROUP_VERSION != "v2" ]; then
+    #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
+    cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
+  else
+    systemd-run --scope --slice=system libvirtd --listen &
+  fi
 
   tmpsecret=$(mktemp --suffix .xml)
   if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
@@ -185,19 +182,30 @@
     virsh secret-set-value --secret "${sec_uuid}" --base64 "${sec_ceph_keyring}"
   }
 
-  if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
+  if [ -z "${CEPH_CINDER_KEYRING}" ] && [ -n "${CEPH_CINDER_USER}" ] ; then
     CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
   fi
-  create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+  if [ -n "${CEPH_CINDER_USER}" ] ; then
+    create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+  fi
 
   if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
     EXTERNAL_CEPH_CINDER_KEYRING=$(cat /tmp/external-ceph-client-keyring)
     create_virsh_libvirt_secret ${EXTERNAL_CEPH_CINDER_USER} ${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID} ${EXTERNAL_CEPH_CINDER_KEYRING}
   fi
 
-  # rejoin libvirtd
-  wait
-else
+  cleanup
+
+  # stop libvirtd; we needed it up to create secrets
+  LIBVIRTD_PID=$(cat /var/run/libvirtd.pid)
+  kill $LIBVIRTD_PID
+  tail --pid=$LIBVIRTD_PID -f /dev/null
+
+fi
+
+if [ $CGROUP_VERSION != "v2" ]; then
   #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
-  exec cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
+  cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
+else
+  systemd-run --scope --slice=system libvirtd --listen
 fi
diff --git a/charts/libvirt/templates/certificate-ca.yaml b/charts/libvirt/templates/certificate-ca.yaml
deleted file mode 100644
index d2182db..0000000
--- a/charts/libvirt/templates/certificate-ca.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{/*
-Copyright (c) 2023 VEXXHOST, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if eq .Values.conf.libvirt.listen_tls "1" }}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ .Release.Name }}-api-ca
-  namespace: {{ .Release.Namespace }}
-spec:
-  commonName: {{ .Release.Name }}
-  duration: 87600h0m0s
-  isCA: true
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: self-signed
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  renewBefore: 720h0m0s
-  secretName: {{ .Release.Name }}-api-ca
-{{- end -}}
-{{- if eq .Values.conf.qemu.vnc_tls "1" }}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ .Release.Name }}-vnc-ca
-  namespace: {{ .Release.Namespace }}
-spec:
-  commonName: {{ .Release.Name }}
-  duration: 87600h0m0s
-  isCA: true
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: self-signed
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  renewBefore: 720h0m0s
-  secretName: {{ .Release.Name }}-vnc-ca
-{{- end -}}
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
index 40bc463..ca1a7ec 100644
--- a/charts/libvirt/templates/configmap-bin.yaml
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -26,9 +26,9 @@
 {{- end }}
   libvirt.sh: |
 {{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-{{- if or (eq .Values.conf.libvirt.listen_tls "1") (eq .Values.conf.qemu.vnc_tls "1") }}
+{{- if eq .Values.conf.qemu.vnc_tls "1" }}
   cert-init.sh: |
-{{ tuple "bin/_cert-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{ tpl .Values.conf.vencrypt.cert_init_sh . | indent 4 }}
 {{- end }}
 {{- if .Values.conf.ceph.enabled }}
   ceph-keyring.sh: |
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index fc2c3b3..4a0b128 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -32,6 +32,10 @@
 {{- $configMapName := index . 1 }}
 {{- $serviceAccountName := index . 2 }}
 {{- $envAll := index . 3 }}
+{{- $ssl_enabled := false }}
+{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }}
+{{- $ssl_enabled = true }}
+{{- end }}
 {{- with $envAll }}
 
 {{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
@@ -65,6 +69,9 @@
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.libvirt.enabled }}
+{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -72,39 +79,6 @@
       initContainers:
 {{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
 {{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
-{{- if eq .Values.conf.libvirt.listen_tls "1" }}
-        - name: cert-init-api
-{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/cert-init.sh
-          env:
-            - name: TYPE
-              value: api
-            - name: POD_UID
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.uid
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-          volumeMounts:
-            - name: pod-tmp
-              mountPath: /tmp
-            - name: libvirt-bin
-              mountPath: /tmp/cert-init.sh
-              subPath: cert-init.sh
-              readOnly: true
-{{- end }}
 {{- if eq .Values.conf.qemu.vnc_tls "1" }}
         - name: cert-init-vnc
 {{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -114,6 +88,10 @@
           env:
             - name: TYPE
               value: vnc
+            - name: ISSUER_KIND
+              value: {{ .Values.conf.vencrypt.issuer.kind }}
+            - name: ISSUER_NAME
+              value: {{ .Values.conf.vencrypt.issuer.name }}
             - name: POD_UID
               valueFrom:
                 fieldRef:
@@ -194,8 +172,8 @@
 {{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.libvirt | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          {{- if .Values.conf.ceph.enabled }}
           env:
+          {{- if .Values.conf.ceph.enabled }}
             - name: CEPH_CINDER_USER
               value: "{{ .Values.conf.ceph.cinder.user }}"
             {{- if .Values.conf.ceph.cinder.keyring }}
@@ -204,13 +182,13 @@
             {{ end }}
             - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
               value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
-            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+          {{ end }}
+          {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
             - name: EXTERNAL_CEPH_CINDER_USER
               value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
             - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
               value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
             {{ end }}
-          {{ end }}
 {{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "readiness" "probeTemplate" (include "libvirtReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
 {{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "liveness" "probeTemplate" (include "libvirtLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
           command:
@@ -224,6 +202,10 @@
                   - |-
                     kill $(cat /var/run/libvirtd.pid)
           volumeMounts:
+            {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
             - name: pod-tmp
               mountPath: /tmp
             - name: libvirt-bin
@@ -240,10 +222,6 @@
               readOnly: true
             - name: etc-libvirt-qemu
               mountPath: /etc/libvirt/qemu
-{{- if eq .Values.conf.libvirt.listen_tls "1" }}
-            - name: etc-pki-qemu
-              mountPath: /etc/pki/qemu
-{{- end }}
             - mountPath: /lib/modules
               name: libmodules
               readOnly: true
@@ -280,15 +258,43 @@
               subPath: key
               readOnly: true
             {{- end }}
+            {{- end }}
             {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
             - name: external-ceph-keyring
               mountPath: /tmp/external-ceph-client-keyring
               subPath: key
               readOnly: true
             {{- end }}
-            {{- end }}
 {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
+        {{- if .Values.pod.sidecars.libvirt_exporter }}
+        - name: libvirt-exporter
+{{ tuple $envAll "libvirt_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.libvirt_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          ports:
+            - name: metrics
+              protocol: TCP
+              containerPort: {{ tuple "libvirt_exporter" "direct" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          volumeMounts:
+            - name: run
+              mountPath: /run
+              {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+              mountPropagation: Bidirectional
+              {{- end }}
+        {{- end }}
       volumes:
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
         - name: pod-tmp
           emptyDir: {}
         - name: libvirt-bin
@@ -312,12 +318,12 @@
           secret:
             secretName: {{ .Values.ceph_client.user_secret_name }}
         {{ end }}
+        {{ end }}
         {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
         - name: external-ceph-keyring
           secret:
             secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
         {{ end }}
-        {{ end }}
         - name: libmodules
           hostPath:
             path: /lib/modules
@@ -345,11 +351,6 @@
         - name: etc-libvirt-qemu
           hostPath:
             path: /etc/libvirt/qemu
-{{- if eq .Values.conf.libvirt.listen_tls "1" }}
-        - name: etc-pki-qemu
-          hostPath:
-            path: /etc/pki/qemu
-{{- end }}
 {{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
 {{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/libvirt/templates/issuer.yaml b/charts/libvirt/templates/issuer.yaml
deleted file mode 100644
index 7077434..0000000
--- a/charts/libvirt/templates/issuer.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-{{/*
-Copyright (c) 2023 VEXXHOST, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if eq .Values.conf.libvirt.listen_tls "1" }}
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: {{ .Release.Name }}-api
-  namespace: {{ .Release.Namespace }}
-spec:
-  ca:
-    secretName: {{ .Release.Name }}-api-ca
-{{- end -}}
-{{- if eq .Values.conf.qemu.vnc_tls "1" }}
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: {{ .Release.Name }}-vnc
-  namespace: {{ .Release.Namespace }}
-spec:
-  ca:
-    secretName: {{ .Release.Name }}-vnc-ca
-{{- end -}}
diff --git a/charts/libvirt/templates/job-image-repo-sync.yaml b/charts/libvirt/templates/job-image-repo-sync.yaml
index d359d1a..91d5282 100644
--- a/charts/libvirt/templates/job-image-repo-sync.yaml
+++ b/charts/libvirt/templates/job-image-repo-sync.yaml
@@ -14,5 +14,8 @@
 
 {{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
 {{- $imageRepoSyncJob := dict "envAll" . "serviceName" "libvirt" -}}
+{{- if .Values.pod.tolerations.libvirt.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
 {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
 {{- end }}
diff --git a/charts/libvirt/templates/role-cert-manager.yaml b/charts/libvirt/templates/role-cert-manager.yaml
index 094bdc6..cab1059 100644
--- a/charts/libvirt/templates/role-cert-manager.yaml
+++ b/charts/libvirt/templates/role-cert-manager.yaml
@@ -1,11 +1,9 @@
 {{/*
-Copyright (c) 2023 VEXXHOST, Inc.
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-  http://www.apache.org/licenses/LICENSE-2.0
+   http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,7 +12,8 @@
 limitations under the License.
 */}}
 
-{{- if or (eq .Values.conf.libvirt.listen_tls "1") (eq .Values.conf.qemu.vnc_tls "1") }}
+{{- if .Values.manifests.role_cert_manager }}
+{{- $serviceAccountName := "libvirt" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -27,7 +26,7 @@
   name: {{ .Release.Name }}-cert-manager
 subjects:
   - kind: ServiceAccount
-    name: {{ .Release.Name }}
+    name: {{ $serviceAccountName }}
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -51,4 +50,4 @@
       - patch
     resources:
       - secrets
-{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/libvirt/templates/secret-registry.yaml b/charts/libvirt/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/libvirt/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index f21a100..66aa7bb 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -26,11 +26,12 @@
 
 images:
   tags:
-    kubectl: docker.io/bitnami/kubectl:latest
-    libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
-    ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
+    libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_focal
+    libvirt_exporter: vexxhost/libvirtd-exporter:latest
+    ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508'
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
     image_repo_sync: docker.io/library/docker:17.07.0
+    kubectl: docker.io/bitnami/kubectl:latest
   pull_policy: "IfNotPresent"
   local_registry:
     active: false
@@ -58,6 +59,25 @@
     port:
       registry:
         node: 5000
+  oci_image_registry:
+    name: oci-image-registry
+    namespace: oci-image-registry
+    auth:
+      enabled: false
+      libvirt:
+        username: libvirt
+        password: password
+    hosts:
+      default: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        default: null
+  libvirt_exporter:
+    port:
+      metrics:
+        default: 9474
 
 network_policy:
   libvirt:
@@ -96,11 +116,64 @@
     log_level: "3"
     log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
   qemu:
+    vnc_tls: "0"
+    vnc_tls_x509_verify: "0"
     stdio_handler: "file"
     user: "nova"
     group: "kvm"
   kubernetes:
-    cgroup: "kubepods"
+    cgroup: "kubepods.slice"
+  vencrypt:
+    # Issuer to use for the vencrypt certs.
+    issuer:
+      kind: ClusterIssuer
+      name: ca-clusterissuer
+    # Script is included here (vs in bin/) to allow overriding, in the case that
+    # communication happens over an IP other than the pod IP for some reason.
+    cert_init_sh: |
+      #!/bin/bash
+      set -x
+
+      # Script to create certs for each libvirt pod based on pod IP (by default).
+
+      cat <<EOF | kubectl apply -f -
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: ${POD_NAME}-${TYPE}
+        namespace: ${POD_NAMESPACE}
+        ownerReferences:
+          - apiVersion: v1
+            kind: Pod
+            name: ${POD_NAME}
+            uid: ${POD_UID}
+      spec:
+        secretName: ${POD_NAME}-${TYPE}
+        commonName: ${POD_IP}
+        usages:
+        - client auth
+        - server auth
+        dnsNames:
+        - ${HOSTNAME}
+        ipAddresses:
+        - ${POD_IP}
+        issuerRef:
+          kind: ${ISSUER_KIND}
+          name: ${ISSUER_NAME}
+      EOF
+
+      kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
+        certificate/${POD_NAME}-${TYPE}
+
+      # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
+      #               is deleted, so we should add an owner reference to the secret
+      #               to ensure that it is cleaned up when the pod is deleted.
+      kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
+        --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
+
+      kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
+      kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
+      kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
 
 pod:
   probes:
@@ -130,6 +203,11 @@
         libvirt:
           privileged: true
           readOnlyRootFilesystem: false
+        libvirt_exporter:
+          privileged: true
+  sidecars:
+    libvirt_exporter: false
+
   affinity:
     anti:
       type:
@@ -138,6 +216,16 @@
         default: kubernetes.io/hostname
       weight:
         default: 10
+  tolerations:
+    libvirt:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
   dns_policy: "ClusterFirstWithHostNet"
   mounts:
     libvirt:
@@ -168,6 +256,13 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
+    libvirt_exporter:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "500m"
 
 dependencies:
   dynamic:
@@ -215,13 +310,19 @@
         - endpoint: internal
           service: local_image_registry
 
-tls:
-  enabled: false
-
 manifests:
   configmap_bin: true
   configmap_etc: true
   daemonset_libvirt: true
   job_image_repo_sync: true
   network_policy: false
+  role_cert_manager: false
+  secret_registry: true
+
+secrets:
+  oci_image_registry:
+    libvirt: libvirt-oci-image-registry-key
+  tls:
+    server: libvirt-tls-server
+    client: libvirt-tls-client
 ...
diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml
index 8c66d1f..eb4b4d9 100644
--- a/roles/libvirt/tasks/main.yml
+++ b/roles/libvirt/tasks/main.yml
@@ -36,6 +36,22 @@
         name: "{{ libvirt_helm_release_name }}"
         namespace: "{{ libvirt_helm_release_namespace }}"
 
+- name: Create Issuers
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      - apiVersion: cert-manager.io/v1
+        kind: Issuer
+        metadata:
+          name: "{{ item }}"
+          namespace: openstack
+        spec:
+          ca:
+            secretName: "{{ item }}-ca"
+  loop:
+    - libvirt-vnc
+    - libvirt-api
+
 - name: Deploy Helm chart
   run_once: true
   kubernetes.core.helm:
diff --git a/roles/libvirt/vars/main.yml b/roles/libvirt/vars/main.yml
index 6af7ad7..37e2ce8 100644
--- a/roles/libvirt/vars/main.yml
+++ b/roles/libvirt/vars/main.yml
@@ -30,3 +30,6 @@
       default_tls_x509_cert_dir: /etc/pki/qemu
       default_tls_x509_verify: "1"
       vnc_tls: "1"
+    vencrypt:
+      issuer: Issuer
+      name: libvirt-vnc-ca