Fix nova-compute health probe and import upstream merges
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
index 07e3872..eb47ead 100644
--- a/charts/nova/Chart.yaml
+++ b/charts/nova/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/nova
 - https://opendev.org/openstack/openstack-helm
-version: 0.3.16
+version: 0.3.19
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
index 6db5f70..4cb5c9c 100644
--- a/charts/nova/requirements.lock
+++ b/charts/nova/requirements.lock
@@ -3,4 +3,4 @@
   repository: file://../../openstack-helm-infra/helm-toolkit
   version: 0.2.54
 digest: sha256:337a0f1ffb3eae591150b305c22293d85fb8c18abec78f56672de4f3ada2faae
-generated: "2023-08-19T09:33:02.220997881Z"
+generated: "2023-08-30T00:10:57.22984359Z"
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
index 660d62b..a019187 100644
--- a/charts/nova/templates/bin/_health-probe.py.tpl
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -142,7 +142,7 @@
     try:
         with open(sys.argv[2]) as conf_file:
             for line in conf_file:
-                if "connection =" in line:
+                if line.startswith("connection ="):
                     service = line.split(':', 3)[3].split('/')[1].rstrip('\n')
                     if service == "nova":
                         database_ports.add(
diff --git a/charts/nova/templates/bin/_ssh-init.sh.tpl b/charts/nova/templates/bin/_ssh-init.sh.tpl
index 9032933..8e5b187 100644
--- a/charts/nova/templates/bin/_ssh-init.sh.tpl
+++ b/charts/nova/templates/bin/_ssh-init.sh.tpl
@@ -20,7 +20,6 @@
 export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
 
 mkdir -p ${NOVA_USER_HOME}/.ssh
-chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
 
 cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
 Host *
@@ -32,3 +31,4 @@
 
 cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
 chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
diff --git a/charts/nova/templates/certificate-novnc.yaml b/charts/nova/templates/certificate-novnc.yaml
deleted file mode 100644
index e0b613b..0000000
--- a/charts/nova/templates/certificate-novnc.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{/*

-Copyright (c) 2023 VEXXHOST, Inc.

-

-Licensed under the Apache License, Version 2.0 (the "License");

-you may not use this file except in compliance with the License.

-You may obtain a copy of the License at

-

-  http://www.apache.org/licenses/LICENSE-2.0

-

-Unless required by applicable law or agreed to in writing, software

-distributed under the License is distributed on an "AS IS" BASIS,

-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-See the License for the specific language governing permissions and

-limitations under the License.

-*/}}

-

-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}

-apiVersion: cert-manager.io/v1

-kind: Certificate

-metadata:

-  name: nova-novncproxy-vencrypt

-  namespace: {{ .Release.Namespace }}

-spec:

-  secretName: nova-novncproxy-vencrypt

-  commonName: nova-novncproxy

-  usages:

-  - client auth

-  issuerRef:

-    kind: Issuer

-    name: libvirt-vnc

-{{- end -}}

diff --git a/charts/nova/templates/certificates.yaml b/charts/nova/templates/certificates.yaml
index 3bf6c8d..39c98b0 100644
--- a/charts/nova/templates/certificates.yaml
+++ b/charts/nova/templates/certificates.yaml
@@ -17,6 +17,9 @@
 {{- if .Values.manifests.deployment_novncproxy }}
 {{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
 {{- end }}
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{ dict "envAll" . "service" "compute_novnc_vencrypt" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
 {{- if .Values.manifests.deployment_placement }}
 {{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
 {{- end }}
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
index 230305a..d098cbd 100644
--- a/charts/nova/templates/configmap-etc.yaml
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -85,18 +85,6 @@
 {{- $_ := set $envAll.Values.conf.nova.wsgi "api_paste_config" "/var/lib/openstack/etc/nova/api-paste.ini" -}}
 {{- end }}
 
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
-{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
-{{- end }}
-{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
-{{- end }}
-{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
-{{- end }}
-{{- end }}
-
 {{- if empty .Values.conf.nova.database.connection -}}
 {{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
 {{- if .Values.manifests.certificates -}}
@@ -204,6 +192,18 @@
 {{- end -}}
 {{- end -}}
 
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
+{{- end }}
+{{- end }}
+
 {{- if eq .Values.console.console_kind "spice"}}
 {{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
 {{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
index cd58fd4..e1c79ab 100644
--- a/charts/nova/templates/deployment-novncproxy.yaml
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -28,6 +28,8 @@
 {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
 {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
 
+{{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
+
 {{- $serviceAccountName := "nova-novncproxy" }}
 {{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
@@ -133,11 +135,6 @@
               mountPath: /etc/nova/nova.conf
               subPath: nova.conf
               readOnly: true
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
-            - name: vencrypt-certs
-              mountPath: /etc/pki/nova-novncproxy
-              readOnly: true
-{{- end }}
             - name: nova-etc
               mountPath: /etc/nova/logging.conf
               subPath: logging.conf
@@ -149,6 +146,7 @@
               mountPath: /tmp/pod-shared
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -166,14 +164,9 @@
           emptyDir: {}
         - name: pod-shared
           emptyDir: {}
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
-        - name: vencrypt-certs
-          secret:
-            secretName: nova-novncproxy-vencrypt
-            defaultMode: 0444
-{{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
index 7f897ee..c5a679d 100644
--- a/charts/nova/values.yaml
+++ b/charts/nova/values.yaml
@@ -1511,6 +1511,8 @@
       novncproxy:
         public: nova-novncproxy-tls-public
         internal: nova-novncproxy-tls-proxy
+      vencrypt:
+        internal: nova-novncproxy-vencrypt
     compute_metadata:
       metadata:
         public: metadata-tls-public
@@ -1803,6 +1805,17 @@
       novnc_proxy:
         default: 6080
         public: 80
+  # This endpoint is only to allow configuring the cert used specifically for
+  # vencrypt.  Specifically, the same CA/issuer needs to be used to sign both
+  # this cert, and the libvirt/qemu certs.
+  compute_novnc_vencrypt:
+    hosts:
+      default: nova-novncproxy
+    host_fqdn_override:
+      default:
+        commonName: nova-novncproxy
+        usages:
+          - client auth
   compute_spice_proxy:
     name: nova
     hosts:
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 7b1f887..67e7bed 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -135,7 +135,7 @@
   | filterdiff -p1 -i 'neutron/*' \
   | patch -p2 -d ${ATMOSPHERE}/charts/neutron
 
-NOVA_VERISON=0.3.16
+NOVA_VERISON=0.3.22
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
 curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm~893563/revisions/1/patch?download' \