fix: implement isolated clusters
diff --git a/internal/pkg/image_repositories/build_workflow.go b/internal/pkg/image_repositories/build_workflow.go
index a5b48e7..b152947 100644
--- a/internal/pkg/image_repositories/build_workflow.go
+++ b/internal/pkg/image_repositories/build_workflow.go
@@ -41,7 +41,7 @@
 	"glance":        "glance_store[cinder]",
 	"horizon":       "git+https://github.com/openstack/designate-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/heat-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/ironic-ui.git@stable/${{ matrix.release }} git+https://github.com/vexxhost/magnum-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/neutron-vpnaas-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/octavia-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/senlin-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/monasca-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/manila-ui.git@stable/${{ matrix.release }}",
 	"ironic":        "python-dracclient sushy",
-	"magnum":        "magnum-cluster-api==0.5.0",
+	"magnum":        "magnum-cluster-api==0.5.1",
 	"monasca-agent": "libvirt-python python-glanceclient python-neutronclient python-novaclient py3nvml",
 	"neutron":       "neutron-vpnaas",
 	"placement":     "httplib2",
diff --git a/roles/barbican/tasks/main.yml b/roles/barbican/tasks/main.yml
index ebf57b6..fd40051 100644
--- a/roles/barbican/tasks/main.yml
+++ b/roles/barbican/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/ceph_csi_rbd/tasks/main.yml b/roles/ceph_csi_rbd/tasks/main.yml
index 04826e5..f992364 100644
--- a/roles/ceph_csi_rbd/tasks/main.yml
+++ b/roles/ceph_csi_rbd/tasks/main.yml
@@ -64,6 +64,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -75,6 +76,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/cert_manager/tasks/main.yml b/roles/cert_manager/tasks/main.yml
index f20b1c6..89bdee3 100644
--- a/roles/cert_manager/tasks/main.yml
+++ b/roles/cert_manager/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/cinder/tasks/main.yml b/roles/cinder/tasks/main.yml
index e52eaf7..540f7e5 100644
--- a/roles/cinder/tasks/main.yml
+++ b/roles/cinder/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/coredns/tasks/main.yml b/roles/coredns/tasks/main.yml
index 2510fe2..c3fe1a2 100644
--- a/roles/coredns/tasks/main.yml
+++ b/roles/coredns/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/defaults/defaults/main.yml b/roles/defaults/defaults/main.yml
index c692130..d98a8c8 100644
--- a/roles/defaults/defaults/main.yml
+++ b/roles/defaults/defaults/main.yml
@@ -103,6 +103,7 @@
   loki: docker.io/grafana/loki:2.7.3
   loki_gateway: docker.io/nginxinc/nginx-unprivileged:1.19-alpine
   magnum_api: quay.io/vexxhost/magnum:zed
+  magnum_cluster_api_proxy: quay.io/vexxhost/magnum:zed
   magnum_conductor: quay.io/vexxhost/magnum:zed
   magnum_db_sync: quay.io/vexxhost/magnum:zed
   magnum_registry: docker.io/library/registry:2.7.1
diff --git a/roles/designate/tasks/main.yml b/roles/designate/tasks/main.yml
index bd8e0a2..b951822 100644
--- a/roles/designate/tasks/main.yml
+++ b/roles/designate/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/glance/tasks/main.yml b/roles/glance/tasks/main.yml
index f3ff7d5..3c4ce3c 100644
--- a/roles/glance/tasks/main.yml
+++ b/roles/glance/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/heat/tasks/main.yml b/roles/heat/tasks/main.yml
index 11adf1e..961f4e0 100644
--- a/roles/heat/tasks/main.yml
+++ b/roles/heat/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/horizon/tasks/main.yml b/roles/horizon/tasks/main.yml
index 5404637..dc980de 100644
--- a/roles/horizon/tasks/main.yml
+++ b/roles/horizon/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/ingress_nginx/tasks/main.yml b/roles/ingress_nginx/tasks/main.yml
index 4595d4c..88410b1 100644
--- a/roles/ingress_nginx/tasks/main.yml
+++ b/roles/ingress_nginx/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml
index 4bc689e..75e2e49 100644
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/kube_prometheus_stack/tasks/main.yml b/roles/kube_prometheus_stack/tasks/main.yml
index 3d4bd07..d2f1f2c 100644
--- a/roles/kube_prometheus_stack/tasks/main.yml
+++ b/roles/kube_prometheus_stack/tasks/main.yml
@@ -45,6 +45,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -56,6 +57,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml
index f941b64..8c66d1f 100644
--- a/roles/libvirt/tasks/main.yml
+++ b/roles/libvirt/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/magnum/tasks/main.yml b/roles/magnum/tasks/main.yml
index c546565..d364282 100644
--- a/roles/magnum/tasks/main.yml
+++ b/roles/magnum/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -101,6 +103,81 @@
     kubeconfig: /etc/kubernetes/admin.conf
     values: "{{ _magnum_helm_values | combine(magnum_helm_values, recursive=True) }}"
 
+- name: Deploy "magnum-cluster-api-proxy"
+  run_once: true
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      - apiVerison: v1
+        kind: ConfigMap
+        metadata:
+          name: magnum-cluster-api-proxy-config
+          namespace: "{{ magnum_helm_release_namespace }}"
+        data:
+          magnum_capi_sudoers: |
+            Defaults !requiretty
+            Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+            magnum ALL = (root) NOPASSWD: /var/lib/openstack/bin/privsep-helper
+
+      - apiVersion: apps/v1
+        kind: DaemonSet
+        metadata:
+          name: magnum-cluster-api-proxy
+          namespace: openstack
+          labels:
+            application: magnum
+            component: cluster-api-proxy
+        spec:
+          selector:
+            matchLabels:
+              application: magnum
+              component: cluster-api-proxy
+          template:
+            metadata:
+              labels:
+                application: magnum
+                component: cluster-api-proxy
+            spec:
+              containers:
+                - name: magnum-cluster-api-proxy
+                  command: ["magnum-cluster-api-proxy"]
+                  image: "{{ atmosphere_images['magnum_cluster_api_proxy'] | vexxhost.kubernetes.docker_image('ref') }}"
+                  securityContext:
+                    privileged: true
+                    readOnlyRootFilesystem: true
+                  volumeMounts:
+                    - name: pod-tmp
+                      mountPath: /tmp
+                    - name: pod-run
+                      mountPath: /run
+                    - name: config
+                      mountPath: /etc/sudoers.d/magnum_capi_sudoers
+                      subPath: magnum_capi_sudoers
+                      readOnly: true
+                    - name: haproxy-state
+                      mountPath: /var/lib/magnum/.magnum-cluster-api-proxy
+                    - name: host-run-netns
+                      mountPath: /run/netns
+                      mountPropagation: Bidirectional
+              nodeSelector:
+                openstack-control-plane: enabled
+              securityContext:
+                runAsUser: 42424
+              serviceAccountName: magnum-conductor
+              volumes:
+                - name: pod-tmp
+                  emptyDir: {}
+                - name: pod-run
+                  emptyDir: {}
+                - name: config
+                  configMap:
+                    name: magnum-cluster-api-proxy-config
+                - name: haproxy-state
+                  emptyDir: {}
+                - name: host-run-netns
+                  hostPath:
+                    path: /run/netns
+
 - name: Create Ingress
   ansible.builtin.include_role:
     name: openstack_helm_ingress
diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml
index d941a98..6590351 100644
--- a/roles/memcached/tasks/main.yml
+++ b/roles/memcached/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index 2b53912..18266f6 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/node_feature_discovery/tasks/main.yml b/roles/node_feature_discovery/tasks/main.yml
index 3e7a2dc..ca39131 100644
--- a/roles/node_feature_discovery/tasks/main.yml
+++ b/roles/node_feature_discovery/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/nova/tasks/main.yml b/roles/nova/tasks/main.yml
index f1d868e..eb7df76 100644
--- a/roles/nova/tasks/main.yml
+++ b/roles/nova/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/nova/vars/main.yml b/roles/nova/vars/main.yml
index 712242a..820b12c 100644
--- a/roles/nova/vars/main.yml
+++ b/roles/nova/vars/main.yml
@@ -80,8 +80,6 @@
         max_instances_per_host: 200
       glance:
         enable_rbd_download: true
-      libvirt:
-        volume_use_multipath: true
       neutron:
         metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
       oslo_messaging_notifications:
diff --git a/roles/octavia/tasks/main.yml b/roles/octavia/tasks/main.yml
index a807dee..811f24c 100644
--- a/roles/octavia/tasks/main.yml
+++ b/roles/octavia/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/openvswitch/tasks/main.yml b/roles/openvswitch/tasks/main.yml
index c4ca63b..bcc78ea 100644
--- a/roles/openvswitch/tasks/main.yml
+++ b/roles/openvswitch/tasks/main.yml
@@ -32,6 +32,7 @@
   delegate_to: "{{ groups['controllers'][0] }}"
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -43,6 +44,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/percona_xtradb_cluster_operator/tasks/main.yml b/roles/percona_xtradb_cluster_operator/tasks/main.yml
index 19cab59..9bb0d95 100644
--- a/roles/percona_xtradb_cluster_operator/tasks/main.yml
+++ b/roles/percona_xtradb_cluster_operator/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/placement/tasks/main.yml b/roles/placement/tasks/main.yml
index d338ebe..ebc90a0 100644
--- a/roles/placement/tasks/main.yml
+++ b/roles/placement/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/prometheus_pushgateway/tasks/main.yml b/roles/prometheus_pushgateway/tasks/main.yml
index f617f14..4c65c88 100644
--- a/roles/prometheus_pushgateway/tasks/main.yml
+++ b/roles/prometheus_pushgateway/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/rabbitmq_cluster_operator/tasks/main.yml b/roles/rabbitmq_cluster_operator/tasks/main.yml
index 583f964..42068eb 100644
--- a/roles/rabbitmq_cluster_operator/tasks/main.yml
+++ b/roles/rabbitmq_cluster_operator/tasks/main.yml
@@ -19,6 +19,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -30,6 +31,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1
diff --git a/roles/senlin/tasks/main.yml b/roles/senlin/tasks/main.yml
index 673d308..a76587f 100644
--- a/roles/senlin/tasks/main.yml
+++ b/roles/senlin/tasks/main.yml
@@ -16,6 +16,7 @@
   run_once: true
   block:
     - name: Suspend the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: patched
         api_version: helm.toolkit.fluxcd.io/v2beta1
@@ -27,6 +28,7 @@
             suspend: true
 
     - name: Remove the existing HelmRelease
+      failed_when: false
       kubernetes.core.k8s:
         state: absent
         api_version: helm.toolkit.fluxcd.io/v2beta1