[ATMOSPHERE-562] [stable/2023.1] chart/nova: update to the latest version (#2260)

This is an automated cherry-pick of #2087
/assign okozachenko1203

Reviewed-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/.charts.yml b/.charts.yml
index 140febd..e82ea2a 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -152,14 +152,9 @@
     repository:
       url: https://kubernetes-sigs.github.io/node-feature-discovery/charts
   - name: nova
-    version: 0.3.27
+    version: 0.3.46
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
-    patches:
-      gerrit:
-        review.opendev.org:
-          - 899809
-          - 904250
   - name: octavia
     version: 0.2.9
     repository: *openstack_helm_repository
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
index e21ec81..0764f69 100644
--- a/charts/nova/Chart.yaml
+++ b/charts/nova/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/nova
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.27
+version: 0.3.46
diff --git a/charts/nova/templates/bin/_cell-setup-init.sh.tpl b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
index 9535085..3b6f8e8 100644
--- a/charts/nova/templates/bin/_cell-setup-init.sh.tpl
+++ b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
@@ -69,3 +69,7 @@
   echo "Waiting for Nova Compute processes to register"
   sleep 10
 done
+
+{{- if .Values.jobs.cell_setup.extra_command }}
+{{ .Values.jobs.cell_setup.extra_command }}
+{{- end }}
diff --git a/charts/nova/templates/bin/_nova-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
index 442e7d6..4bc71a3 100644
--- a/charts/nova/templates/bin/_nova-compute-init.sh.tpl
+++ b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
@@ -26,7 +26,11 @@
 if [[ -z $migration_interface ]]; then
     # search for interface with default routing
     # If there is not default gateway, exit
-    migration_interface=$(ip -4 route list 0/0 | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
+    migration_network_cidr="{{- .Values.conf.libvirt.live_migration_network_cidr -}}"
+    if [ -z "${migration_network_cidr}" ] ; then
+        migration_network_cidr="0/0"
+    fi
+    migration_interface=$(ip -4 route list ${migration_network_cidr} | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
 fi
 
 migration_address=$(ip a s $migration_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
@@ -45,7 +49,11 @@
 if [[ -z $hypervisor_interface ]]; then
     # search for interface with default routing
     # If there is not default gateway, exit
-    hypervisor_interface=$(ip -4 route list 0/0 | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
+    hypervisor_network_cidr="{{- .Values.conf.hypervisor.host_network_cidr -}}"
+    if [ -z "${hypervisor_network_cidr}" ] ; then
+        hypervisor_network_cidr="0/0"
+    fi
+    hypervisor_interface=$(ip -4 route list ${hypervisor_network_cidr} | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
 fi
 
 hypervisor_address=$(ip a s $hypervisor_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
diff --git a/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
index cb33330..b2fb92f 100644
--- a/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
+++ b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
@@ -21,25 +21,25 @@
 if [ "${console_kind}" == "novnc" ] ; then
     client_address="{{- .Values.conf.nova.vnc.server_proxyclient_address -}}"
     client_interface="{{- .Values.console.novnc.compute.vncserver_proxyclient_interface -}}"
+    client_network_cidr="{{- .Values.console.novnc.compute.vncserver_proxyclient_network_cidr -}}"
     listen_ip="{{- .Values.conf.nova.vnc.server_listen -}}"
 elif [ "${console_kind}" == "spice" ] ; then
     client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
     client_interface="{{- .Values.console.spice.compute.server_proxyclient_interface -}}"
+    client_network_cidr="{{- .Values.console.spice.compute.server_proxyclient_network_cidr -}}"
     listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
 fi
 
 if [ -z "${client_address}" ] ; then
     if [ -z "${client_interface}" ] ; then
-        if  [ -x "$(command -v route)" ] ; then
-            # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
-            client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
-        else
-            client_interface=$(ip r | grep default | awk '{print $5}')
+        if [ -z "${client_network_cidr}" ] ; then
+            client_network_cidr="0/0"
         fi
+        client_interface=$(ip -4 route list ${client_network_cidr} | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
     fi
 
     # determine client ip dynamically based on interface provided
-    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
 fi
 
 if [ -z "${listen_ip}" ] ; then
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
index f3522c9..4eedda9 100644
--- a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
+++ b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
@@ -21,25 +21,25 @@
 if [ "${console_kind}" == "novnc" ] ; then
     client_address="{{- .Values.conf.nova.vnc.server_proxyclient_address -}}"
     client_interface="{{- .Values.console.novnc.vncproxy.vncserver_proxyclient_interface -}}"
+    client_network_cidr="{{- .Values.console.novnc.vncproxy.vncserver_proxyclient_network_cidr -}}"
     listen_ip="{{- .Values.conf.nova.vnc.server_listen -}}"
 elif [ "${console_kind}" == "spice" ] ; then
     client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
     client_interface="{{- .Values.console.spice.proxy.server_proxyclient_interface -}}"
+    client_network_cidr="{{- .Values.console.spice.proxy.server_proxyclient_network_cidr -}}"
     listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
 fi
 
 if [ -z "${client_address}" ] ; then
     if [ -z "${client_interface}" ] ; then
-        if  [ -x "$(command -v route)" ] ; then
-            # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
-            client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
-        else
-            client_interface=$(ip r | grep default | awk '{print $5}')
+        if [ -z "${client_network_cidr}" ] ; then
+            client_network_cidr="0/0"
         fi
+        client_interface=$(ip -4 route list ${client_network_cidr} | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
     fi
 
     # determine client ip dynamically based on interface provided
-    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+    client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
 fi
 
 if [ -z "${listen_ip}" ] ; then
diff --git a/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
index 2242757..978ca6d 100644
--- a/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
+++ b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
@@ -30,3 +30,7 @@
     openstack compute service delete "${SERVICE_ID}"
   done
 done
+
+{{- if .Values.jobs.service_cleaner.extra_command }}
+{{ .Values.jobs.service_cleaner.extra_command }}
+{{- end }}
diff --git a/charts/nova/templates/bin/_ssh-start.sh.tpl b/charts/nova/templates/bin/_ssh-start.sh.tpl
index 562da44..feca575 100644
--- a/charts/nova/templates/bin/_ssh-start.sh.tpl
+++ b/charts/nova/templates/bin/_ssh-start.sh.tpl
@@ -26,7 +26,15 @@
 IFS=''
 
 subnet_address="{{- .Values.network.ssh.from_subnet -}}"
+
+if [ -z "${subnet_address}" ] ; then
+    subnet_address="0.0.0.0/0"
+fi
+listen_interface=$(ip -4 route list ${subnet_address} | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
+listen_address=$(ip a s $listen_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
+
 cat > /tmp/sshd_config_extend <<EOF
+ListenAddress $listen_address
 PasswordAuthentication no
 Match Address $subnet_address
     PermitRootLogin without-password
diff --git a/charts/nova/templates/bin/_storage-init.sh.tpl b/charts/nova/templates/bin/_storage-init.sh.tpl
new file mode 100644
index 0000000..cb3505d
--- /dev/null
+++ b/charts/nova/templates/bin/_storage-init.sh.tpl
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+  SECRET=$(mktemp --suffix .yaml)
+  KEYRING=$(mktemp --suffix .keyring)
+  function cleanup {
+      rm -f ${SECRET} ${KEYRING}
+  }
+  trap cleanup EXIT
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+  ceph -s
+  function ensure_pool () {
+    ceph osd pool stats $1 || ceph osd pool create $1 $2
+    if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+        ceph osd pool application enable $1 $3
+    fi
+    size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+    ceph osd pool set $1 nosizechange 0
+    ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+    ceph osd pool set $1 nosizechange ${size_protection}
+    ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+  }
+  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} ${RBD_POOL_APP_NAME}
+fi
\ No newline at end of file
diff --git a/charts/nova/templates/configmap-bin.yaml b/charts/nova/templates/configmap-bin.yaml
index 90a91a9..564c230 100644
--- a/charts/nova/templates/configmap-bin.yaml
+++ b/charts/nova/templates/configmap-bin.yaml
@@ -39,6 +39,8 @@
 {{- end }}
   rally-test.sh: |
 {{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+  storage-init.sh: |
+{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   db-init.py: |
 {{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
   db-sync.sh: |
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
index a9e09ef..6f00a1c 100644
--- a/charts/nova/templates/configmap-etc.yaml
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -151,8 +151,8 @@
 {{- $_ := set .Values.conf.nova.DEFAULT "metadata_host" .Values.endpoints.compute_metadata.ip.ingress -}}
 {{- end -}}
 
-{{- if empty .Values.conf.nova.DEFAULT.metadata_port -}}
-{{- $_ := tuple "compute_metadata" "public" "metadata" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "metadata_port" -}}
+{{- if empty .Values.conf.nova.DEFAULT.metadata_listen_port -}}
+{{- $_ := tuple "compute_metadata" "internal" "metadata" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "metadata_listen_port" -}}
 {{- end -}}
 
 {{- if empty .Values.conf.nova.placement.auth_url -}}
diff --git a/charts/nova/templates/daemonset-compute.yaml b/charts/nova/templates/daemonset-compute.yaml
index e1125f9..3ad00ff 100644
--- a/charts/nova/templates/daemonset-compute.yaml
+++ b/charts/nova/templates/daemonset-compute.yaml
@@ -87,6 +87,7 @@
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_compute" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute" "init" "nova-compute-init" "nova-compute-vnc-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/nova/templates/deployment-api-metadata.yaml b/charts/nova/templates/deployment-api-metadata.yaml
index 2f0463e..51e30c9 100644
--- a/charts/nova/templates/deployment-api-metadata.yaml
+++ b/charts/nova/templates/deployment-api-metadata.yaml
@@ -57,6 +57,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_api_metadata" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-api-metadata" "containerNames" (list "nova-api-metadata-init" "nova-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/nova/templates/deployment-api-osapi.yaml b/charts/nova/templates/deployment-api-osapi.yaml
index 88bbf41..b203ba6 100644
--- a/charts/nova/templates/deployment-api-osapi.yaml
+++ b/charts/nova/templates/deployment-api-osapi.yaml
@@ -57,6 +57,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_api_osapi" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-api-osapi" "containerNames" (list "nova-osapi" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/nova/templates/deployment-conductor.yaml b/charts/nova/templates/deployment-conductor.yaml
index df07583..b58b385 100644
--- a/charts/nova/templates/deployment-conductor.yaml
+++ b/charts/nova/templates/deployment-conductor.yaml
@@ -66,6 +66,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_conductor" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-conductor" "containerNames" (list "nova-conductor" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
index e1c79ab..f4c1d8b 100644
--- a/charts/nova/templates/deployment-novncproxy.yaml
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -55,6 +55,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_novncproxy" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-novncproxy" "containerNames" (list "nova-novncproxy" "nova-novncproxy-init-assets" "nova-novncproxy-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
@@ -144,9 +145,14 @@
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+            {{- if $vencrypt_enabled }}
+            - name: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+              mountPath: /etc/pki/nova-novncproxy
+              readOnly: true
+            {{- end }}
+
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -164,9 +170,14 @@
           emptyDir: {}
         - name: pod-shared
           emptyDir: {}
+        {{- if $vencrypt_enabled }}
+        - name: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+          secret:
+            secretName: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+            defaultMode: 0444
+        {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/templates/deployment-scheduler.yaml b/charts/nova/templates/deployment-scheduler.yaml
index e8a63a2..bba444c 100644
--- a/charts/nova/templates/deployment-scheduler.yaml
+++ b/charts/nova/templates/deployment-scheduler.yaml
@@ -66,6 +66,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_scheduler" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "nova-scheduler" "containerNames" (list "nova-scheduler" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/nova/templates/deployment-spiceproxy.yaml b/charts/nova/templates/deployment-spiceproxy.yaml
index 2c65401..eca1628 100644
--- a/charts/nova/templates/deployment-spiceproxy.yaml
+++ b/charts/nova/templates/deployment-spiceproxy.yaml
@@ -53,6 +53,7 @@
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ tuple "nova_spiceproxy" . | include "helm-toolkit.snippets.custom_pod_annotations" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
diff --git a/charts/nova/templates/ingress-novncproxy.yaml b/charts/nova/templates/ingress-novncproxy.yaml
index cad53cf..ec68fb6 100644
--- a/charts/nova/templates/ingress-novncproxy.yaml
+++ b/charts/nova/templates/ingress-novncproxy.yaml
@@ -12,7 +12,7 @@
 limitations under the License.
 */}}
 
-{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public (eq .Values.console.console_kind "novnc") }}
 {{- $envAll := . }}
 {{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
 {{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
diff --git a/charts/nova/templates/ingress-spiceproxy.yaml b/charts/nova/templates/ingress-spiceproxy.yaml
new file mode 100644
index 0000000..020797d
--- /dev/null
+++ b/charts/nova/templates/ingress-spiceproxy.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_spiceproxy .Values.network.spiceproxy.ingress.public (eq .Values.console.console_kind "spice") }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "spiceproxy" "backendServiceType" "compute_spice_proxy" "backendPort" "n-spice" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute_spice_proxy.spiceproxy.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_spice_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/job-bootstrap.yaml b/charts/nova/templates/job-bootstrap.yaml
index eb5e602..de8812d 100644
--- a/charts/nova/templates/job-bootstrap.yaml
+++ b/charts/nova/templates/job-bootstrap.yaml
@@ -20,7 +20,6 @@
 {{- $configMapBin := printf "%s-%s" $serviceName "bin" -}}
 {{- $configMapEtc := printf "%s-%s" $serviceName "etc" -}}
 {{- $configFile := printf "/etc/%s/%s.conf" $serviceName $serviceName -}}
-{{- $logConfigFile := $envAll.Values.conf.nova.DEFAULT.log_config_append -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $serviceAccountName := printf "%s-%s" $serviceName "bootstrap" -}}
 {{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -97,10 +96,12 @@
               mountPath: {{ $configFile | quote }}
               subPath: {{ base $configFile | quote }}
               readOnly: true
+            {{- if .Values.conf.nova.DEFAULT.log_config_append }}
             - name: bootstrap-conf
-              mountPath: {{ $logConfigFile | quote }}
-              subPath: {{ base $logConfigFile | quote }}
+              mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append | quote }}
+              subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append | quote }}
               readOnly: true
+            {{- end }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
diff --git a/charts/nova/templates/job-nova-storage-init.yaml b/charts/nova/templates/job-nova-storage-init.yaml
new file mode 100644
index 0000000..9748a5f
--- /dev/null
+++ b/charts/nova/templates/job-nova-storage-init.yaml
@@ -0,0 +1,167 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_storage_init .Values.conf.ceph.enabled }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+{{- if .Values.helm3_hook }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "-6"
+{{- end }}
+  name: nova-storage-init
+  labels:
+{{ tuple $envAll "nova" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nova" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.nova.enabled }}
+{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        {{- if $envAll.Values.conf.ceph.enabled }}
+        - name: ceph-keyring-placement
+{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+          securityContext:
+            runAsUser: 0
+          command:
+            - /tmp/ceph-admin-keyring.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: nova-bin
+              mountPath: /tmp/ceph-admin-keyring.sh
+              subPath: ceph-admin-keyring.sh
+              readOnly: true
+            {{- if empty .Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{ end }}
+        {{ end }}
+      containers:
+        - name: nova-storage-init
+{{ tuple $envAll "nova_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: STORAGE_BACKEND
+              value: {{ .Values.conf.nova.libvirt.images_type | quote }}
+            {{- if eq .Values.conf.nova.libvirt.images_type "rbd" }}
+            - name: RBD_POOL_NAME
+              value: {{ .Values.conf.nova.libvirt.images_rbd_pool | quote }}
+            - name: RBD_POOL_APP_NAME
+              value: {{ .Values.rbd_pool.app_name | quote }}
+            - name: RBD_POOL_USER
+              value: {{ .Values.conf.nova.libvirt.rbd_user | quote }}
+            - name: RBD_POOL_CRUSH_RULE
+              value: {{ .Values.rbd_pool.crush_rule | quote }}
+            - name: RBD_POOL_REPLICATION
+              value: {{ .Values.rbd_pool.replication | quote }}
+            - name: RBD_POOL_CHUNK_SIZE
+              value: {{ .Values.rbd_pool.chunk_size | quote }}
+            {{ end }}
+          command:
+            - /tmp/storage-init.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: nova-bin
+              mountPath: /tmp/storage-init.sh
+              subPath: storage-init.sh
+              readOnly: true
+            {{- if eq .Values.conf.nova.libvirt.images_type "rbd" }}
+            - name: etcceph
+              mountPath: /etc/ceph
+            - name: ceph-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+              readOnly: true
+            {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+            - name: ceph-keyring
+              mountPath: /tmp/client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
+            {{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: nova-bin
+          configMap:
+            name: nova-bin
+            defaultMode: 0555
+        {{- if $envAll.Values.conf.ceph.enabled }}
+        - name: etcceph
+          emptyDir: {}
+        - name: ceph-etc
+          configMap:
+            name: {{ .Values.ceph_client.configmap }}
+            defaultMode: 0444
+        {{- if empty .Values.conf.ceph.admin_keyring }}
+        - name: ceph-keyring
+          secret:
+            secretName: {{ .Values.ceph_client.user_secret_name }}
+        {{- end }}
+        {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/templates/secret-db-api.yaml b/charts/nova/templates/secret-db-api.yaml
index baf75b1..de53703 100644
--- a/charts/nova/templates/secret-db-api.yaml
+++ b/charts/nova/templates/secret-db-api.yaml
@@ -22,6 +22,8 @@
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  annotations:
+{{ tuple "oslo_db_api" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
 {{- if $envAll.Values.manifests.certificates }}
diff --git a/charts/nova/templates/secret-db-cell0.yaml b/charts/nova/templates/secret-db-cell0.yaml
index 100b57f..ac74bf9 100644
--- a/charts/nova/templates/secret-db-cell0.yaml
+++ b/charts/nova/templates/secret-db-cell0.yaml
@@ -22,6 +22,8 @@
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  annotations:
+{{ tuple "oslo_db_cell0" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
 {{- if $envAll.Values.manifests.certificates }}
diff --git a/charts/nova/templates/secret-db.yaml b/charts/nova/templates/secret-db.yaml
index d9cbf8f..885cae1 100644
--- a/charts/nova/templates/secret-db.yaml
+++ b/charts/nova/templates/secret-db.yaml
@@ -22,6 +22,8 @@
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  annotations:
+{{ tuple "oslo_db" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
 {{- if $envAll.Values.manifests.certificates }}
diff --git a/charts/nova/templates/secret-keystone.yaml b/charts/nova/templates/secret-keystone.yaml
index beddb30..2d6560c 100644
--- a/charts/nova/templates/secret-keystone.yaml
+++ b/charts/nova/templates/secret-keystone.yaml
@@ -21,6 +21,8 @@
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  annotations:
+{{ tuple "identity" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
 {{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
diff --git a/charts/nova/templates/secret_rabbitmq.yaml b/charts/nova/templates/secret-rabbitmq.yaml
similarity index 90%
rename from charts/nova/templates/secret_rabbitmq.yaml
rename to charts/nova/templates/secret-rabbitmq.yaml
index b49f84e..32f2169 100644
--- a/charts/nova/templates/secret_rabbitmq.yaml
+++ b/charts/nova/templates/secret-rabbitmq.yaml
@@ -25,6 +25,8 @@
 kind: Secret
 metadata:
   name: {{ $secretName }}
+  annotations:
+{{ tuple "oslo_messaging" $userClass $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
   RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/charts/nova/templates/secret-ssh.yaml b/charts/nova/templates/secret-ssh.yaml
index 4811b2e..9654c8b 100644
--- a/charts/nova/templates/secret-ssh.yaml
+++ b/charts/nova/templates/secret-ssh.yaml
@@ -20,6 +20,8 @@
 kind: Secret
 metadata:
   name: nova-ssh
+  annotations:
+{{ tuple "ssh" "keys" . | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
 type: Opaque
 data:
   private-key: {{ .Values.network.ssh.private_key | b64enc }}
diff --git a/charts/nova/templates/service-ingress-novncproxy.yaml b/charts/nova/templates/service-ingress-novncproxy.yaml
index caae913..434cf33 100644
--- a/charts/nova/templates/service-ingress-novncproxy.yaml
+++ b/charts/nova/templates/service-ingress-novncproxy.yaml
@@ -12,7 +12,7 @@
 limitations under the License.
 */}}
 
-{{- if and .Values.manifests.service_ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- if and .Values.manifests.service_ingress_novncproxy .Values.network.novncproxy.ingress.public (eq .Values.console.console_kind "novnc") }}
 {{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_novnc_proxy" -}}
 {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
 {{- end }}
diff --git a/charts/nova/templates/service-ingress-spiceproxy.yaml b/charts/nova/templates/service-ingress-spiceproxy.yaml
new file mode 100644
index 0000000..e0bd3d5
--- /dev/null
+++ b/charts/nova/templates/service-ingress-spiceproxy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_spiceproxy .Values.network.spiceproxy.ingress.public (eq .Values.console.console_kind "spice") }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_spice_proxy" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
index fe02e60..e0c5866 100644
--- a/charts/nova/values.yaml
+++ b/charts/nova/values.yaml
@@ -54,31 +54,32 @@
 images:
   pull_policy: IfNotPresent
   tags:
-    bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
-    rabbit_init: docker.io/rabbitmq:3.7-management
-    ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    nova_archive_deleted_rows: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    nova_api: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_cell_setup: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_cell_setup_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
-    nova_compute: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    dep_check: 'quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal'
+    rabbit_init: docker.io/rabbitmq:3.13-management
+    ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    nova_archive_deleted_rows: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    nova_api: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_cell_setup: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_cell_setup_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
+    nova_compute: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
     nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:wallaby'
-    nova_compute_ssh: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_conductor: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_db_sync: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_novncproxy: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_compute_ssh: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_conductor: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_db_sync: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_novncproxy: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
     nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:wallaby'
-    nova_scheduler: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_scheduler: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_storage_init: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy'
     # NOTE(portdirect): we simply use the ceph config helper here,
     # as it has both oscli and jq.
-    nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_focal'
-    nova_spiceproxy: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
-    nova_spiceproxy_assets: docker.io/openstackhelm/nova:wallaby-ubuntu_focal
+    nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy'
+    nova_spiceproxy: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
+    nova_spiceproxy_assets: docker.io/openstackhelm/nova:2024.1-ubuntu_jammy
     test: docker.io/xrally/xrally-openstack:2.0.0
     image_repo_sync: docker.io/docker:17.07.0
     nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
@@ -101,6 +102,7 @@
       enabled: false
       iteration: 3
       duration: 5
+    extra_command: null
   service_cleaner:
     cron: "0 */1 * * *"
     starting_deadline: 600
@@ -108,6 +110,7 @@
       success: 3
       failed: 1
     sleep_time: 60
+    extra_command: null
   archive_deleted_rows:
     cron: "0 */1 * * *"
     starting_deadline: 600
@@ -244,6 +247,13 @@
       enabled: false
       port: 30680
   spiceproxy:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30682
@@ -492,23 +502,37 @@
   spice:
     compute:
       # IF blank, search default routing interface
-      server_proxyclient_interface:
+      server_proxyclient_interface: null
+      # or set network cidr
+      server_proxyclient_network_cidr: 0/0
     proxy:
       # IF blank, search default routing interface
-      server_proxyclient_interface:
+      server_proxyclient_interface: null
+      # or set network cidr
+      server_proxyclient_network_cidr: 0/0
   novnc:
     compute:
       # IF blank, search default routing interface
-      vncserver_proxyclient_interface:
+      vncserver_proxyclient_interface: null
+      # or set network cidr
+      vncserver_proxyclient_network_cidr: 0/0
     vncproxy:
       # IF blank, search default routing interface
-      vncserver_proxyclient_interface:
+      vncserver_proxyclient_interface: null
+      # or set network cidr
+      vncserver_proxyclient_network_cidr: 0/0
   address_search_enabled: true
 
 ceph_client:
   configmap: ceph-etc
   user_secret_name: pvc-ceph-client-key
 
+rbd_pool:
+  app_name: nova-vms
+  replication: 3
+  crush_rule: replicated_rule
+  chunk_size: 8
+
 conf:
   security: |
     #
@@ -1343,11 +1367,16 @@
     # When "address_search_enabled", get the IP address to be used as the target for live migration
     # traffic using interface name.
     # If this option is set to None, the hostname of the migration target compute node will be used.
-    live_migration_interface:
+    live_migration_interface: null
+    # or set cidr
+    live_migration_network_cidr: 0/0
   hypervisor:
     address_search_enabled: true
     # my_ip can be set automatically through this interface name.
-    host_interface:
+    host_interface: null
+    # If host_interface is null there is a fallback mechanism to search
+    # for interface with routing using host network cidr.
+    host_network_cidr: 0/0
   # This list is the keys to exclude from the config file ingested by nova-compute
   nova_compute_redactions:
     - database
@@ -1385,6 +1414,10 @@
       # server_proxyclient_address: 127.0.0.1
     conductor:
       workers: 1
+    scheduler:
+      max_attempts: 10
+      discover_hosts_in_cells_interval: -1
+      workers: 1
     oslo_policy:
       policy_file: /etc/nova/policy.yaml
     oslo_concurrency:
@@ -1539,20 +1572,15 @@
     uwsgi:
       add-header: "Connection: close"
       buffer-size: 65535
-      chunked-input-limit: "4096000"
       die-on-term: true
       enable-threads: true
       exit-on-reload: false
       hook-master-start: unix_signal:15 gracefully_kill_them_all
-      http-auto-chunked: true
-      http-raw-body: true
       lazy-apps: true
       log-x-forwarded-for: true
       master: true
-      need-app: true
       procname-prefix-spaced: "nova-api:"
       route-user-agent: '^kube-probe.* donotlog:'
-      socket-timeout: 10
       thunder-lock: true
       worker-reload-mercy: 80
       wsgi-file: /var/lib/openstack/bin/nova-api-wsgi
@@ -1560,20 +1588,15 @@
     uwsgi:
       add-header: "Connection: close"
       buffer-size: 65535
-      chunked-input-limit: 4096000
       die-on-term: true
       enable-threads: true
       exit-on-reload: false
       hook-master-start: unix_signal:15 gracefully_kill_them_all
-      http-auto-chunked: true
-      http-raw-body: true
       lazy-apps: true
       log-x-forwarded-for: true
       master: true
-      need-app: true
       procname-prefix-spaced: "nova-metadata:"
       route-user-agent: '^kube-probe.* donotlog:'
-      socket-timeout: 10
       thunder-lock: true
       worker-reload-mercy: 80
       wsgi-file: /var/lib/openstack/bin/nova-metadata-wsgi
@@ -1613,7 +1636,8 @@
         internal: metadata-tls-metadata
     compute_spice_proxy:
       spiceproxy:
-        internal: nova-tls-spiceproxy
+        public: nova-spiceproxy-tls-public
+        internal: nova-spiceproxy-tls-proxy
   oci_image_registry:
     nova: nova-oci-image-registry
 
@@ -1914,7 +1938,7 @@
     name: nova
     hosts:
       default: nova-spiceproxy
-      public: placement
+      public: spiceproxy
     host_fqdn_override:
       default: null
     path:
@@ -1924,6 +1948,7 @@
     port:
       spice_proxy:
         default: 6082
+        public: 80
   placement:
     name: placement
     hosts:
@@ -2414,6 +2439,13 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
+      storage_init:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
       db_init:
         requests:
           memory: "128Mi"
@@ -2536,8 +2568,10 @@
   deployment_scheduler: true
   ingress_metadata: true
   ingress_novncproxy: true
+  ingress_spiceproxy: true
   ingress_osapi: true
   job_bootstrap: true
+  job_storage_init: true
   job_db_init: true
   job_db_sync: true
   job_db_drop: false
@@ -2560,6 +2594,7 @@
   secret_registry: true
   service_ingress_metadata: true
   service_ingress_novncproxy: true
+  service_ingress_spiceproxy: true
   service_ingress_osapi: true
   service_metadata: true
   service_novncproxy: true
diff --git a/charts/patches/nova/0001-tune-uwsgi-config.patch b/charts/patches/nova/0001-tune-uwsgi-config.patch
deleted file mode 100644
index eb6e791..0000000
--- a/charts/patches/nova/0001-tune-uwsgi-config.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff --git b/nova/values.yaml a/charts/nova/values.yaml
-index df2e2ff6..fe02e605 100644
---- b/nova/values.yaml
-+++ a/nova/values.yaml
-@@ -1539,15 +1539,20 @@ conf:
-     uwsgi:
-       add-header: "Connection: close"
-       buffer-size: 65535
-+      chunked-input-limit: "4096000"
-       die-on-term: true
-       enable-threads: true
-       exit-on-reload: false
-       hook-master-start: unix_signal:15 gracefully_kill_them_all
-+      http-auto-chunked: true
-+      http-raw-body: true
-       lazy-apps: true
-       log-x-forwarded-for: true
-       master: true
-+      need-app: true
-       procname-prefix-spaced: "nova-api:"
-       route-user-agent: '^kube-probe.* donotlog:'
-+      socket-timeout: 10
-       thunder-lock: true
-       worker-reload-mercy: 80
-       wsgi-file: /var/lib/openstack/bin/nova-api-wsgi
-@@ -1555,15 +1560,20 @@ conf:
-     uwsgi:
-       add-header: "Connection: close"
-       buffer-size: 65535
-+      chunked-input-limit: 4096000
-       die-on-term: true
-       enable-threads: true
-       exit-on-reload: false
-       hook-master-start: unix_signal:15 gracefully_kill_them_all
-+      http-auto-chunked: true
-+      http-raw-body: true
-       lazy-apps: true
-       log-x-forwarded-for: true
-       master: true
-+      need-app: true
-       procname-prefix-spaced: "nova-metadata:"
-       route-user-agent: '^kube-probe.* donotlog:'
-+      socket-timeout: 10
-       thunder-lock: true
-       worker-reload-mercy: 80
-       wsgi-file: /var/lib/openstack/bin/nova-metadata-wsgi
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index b977649..86415bf 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -174,6 +174,7 @@
   nova_service_cleaner: "registry.atmosphere.dev/library/heat:{{ atmosphere_release }}"
   nova_spiceproxy_assets: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
   nova_spiceproxy: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
+  nova_storage_init: "registry.atmosphere.dev/library/heat:{{ atmosphere_release }}"
   oauth2_proxy: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
   octavia_api: "registry.atmosphere.dev/library/octavia:{{ atmosphere_release }}"
   octavia_db_sync: "registry.atmosphere.dev/library/octavia:{{ atmosphere_release }}"
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index a06ea22..9790b5f 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -68,7 +68,6 @@
         vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
     metadata_agent:
       DEFAULT:
-        nova_metadata_port: 8775
         metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
     plugins:
       ml2_conf:
diff --git a/roles/nova/vars/main.yml b/roles/nova/vars/main.yml
index b9fb880..71d980e 100644
--- a/roles/nova/vars/main.yml
+++ b/roles/nova/vars/main.yml
@@ -111,6 +111,7 @@
       os_vif_ovs:
         ovsdb_connection: unix:/run/openvswitch/db.sock
       scheduler:
+        max_attempts: 3
         workers: 8
         discover_hosts_in_cells_interval: 30
       vnc:
@@ -121,6 +122,20 @@
     nova_ironic:
       DEFAULT:
         force_config_drive: true
+    nova_api_uwsgi:
+      uwsgi:
+        chunked-input-limit: "4096000"
+        http-auto-chunked: true
+        http-raw-body: true
+        need-app: true
+        socket-timeout: 10
+    nova_metadata_uwsgi:
+      uwsgi:
+        chunked-input-limit: "4096000"
+        http-auto-chunked: true
+        http-raw-body: true
+        need-app: true
+        socket-timeout: 10
   manifests:
     deployment_consoleauth: false
     deployment_placement: false
@@ -128,16 +143,19 @@
     ingress_novncproxy: false
     ingress_osapi: false
     ingress_placement: false
+    ingress_spiceproxy: false
     job_db_init_placement: false
     job_ks_placement_endpoints: false
     job_ks_placement_service: false
     job_ks_placement_user: false
+    job_storage_init: false
     secret_keystone_placement: false
     service_ingress_metadata: false
     service_ingress_novncproxy: false
     service_ingress_osapi: false
     service_ingress_placement: false
     service_placement: false
+    service_ingress_spiceproxy: false
     # NOTE(mnaser): Enable this once we've got Ironic deployed.
     statefulset_compute_ironic: false